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ABSTRACT 


This thesis presents an implementation of segment 
management for the security kernel of a secure archival 
storage system. The basis for this implementation is a 
family of secure, distributed, multi-microprocessor 
operating systems designed to provide multilevel internal 
computer security and controlled sharing of data among 
authorized users. This implementation provides address space 
management for individual processes, based on segmentation 
aS a memory management scheme. Non~-discretionary information 
security is provided through enforcement of a security 
policy based ona lattice Structure that allows flexibility 
in representing different security policies; the Department 
of Defense (DoD) security classification system is the 
security policy represented in this thesis. Implementation 


was completed on the ZILOG Z8@@9 microprocessor. 
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I. INTRODUCTION 


This thesis addresses the implementation of the segment 
management functions of an operating syStem known as the 
Secure Archival Storage System or SASS. This system, with 
full implementation, will provide: (1) multilevel secure 
access to information (files) stored in a data warehouse 
for a network of multiple host computers, and (2) controlled 
data sharing among authorized users. The correct performance 
of both of these features is directly dependent upon the 
proper implementation of the segment management functions 
addressed in this thesis. The issue of access to sensitive 
information is addressed by the Non-Discretionary Security 
Module, which mediates all non~discretionary access to 
information. Sharing of information is accomplished chiefly 
through the properties of segmentation, the SASS memory 
Management scheme that is Supported by the Memory Manager 
Module and the Segment Manager Module. The implementation of 
Segment management for SASS is thus integral to the 
attainment of the two key goals that SASS was designed to 
achieve. This implementation addresses the Non~-Discretionary 
Security, Distributed Memory Manager (the interface to the 


Memory Manager Process), and Segment Manager modules. 
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A. BACKGROUND 

O°Connell and Richardson provided the design fora 
family of Secure, distributed, multi-microprocessor 
Operating systems from which the subset, SASS, was later 
derived [6]. In their work, two of the primary motivations 
were to provide a system that (1) effectively coordinated 
the processing power of microprocessors and (2) provided 
information security. 

The basis for emphasis on utilization of microprocessors 
is not purely that of replacing software with more powerful 
(and faster) hardware (microprocessors) but is also an 
economic issue. software development and computing 
operations are becoming more and more erpensive, putting 
further pressure on system designers to increasingly utilize 
people solely for syStem functions that computers cannot 
perform in a cost effective manner. Microcomputers, on the 
Other hand, are becoming less and less expensive and are, 
therefore, increasingly being used for more functions. 

The need for information “security has teen gradually 
recognized as the uses of computers have expanded. As 
security needs for specific computer systems have been 
recognized, attempts have been made to modify the existing 
systems to provide the desired security. The results have 
been systems that could not be certified as secure and/or 
which have failed to resist penetration efforts, i.e. 


systems which, in Srrect, aid Snot provide adequate 


11 





information security. It has become clear that, in order to 
be certifiably secure, @ computer syStem must have security 
designed in from first principles [10,11]. Such is the case 
with SASS. Information security was and continues to be a 
chief design feature. Integral to the design goal of 
information security were two related g0als. One of these 
goals was to provide multilevel controlled access to a 
consolidated “warehouse of data for a network of multiple 
host computers. The other key goal was to provide for 
controlled sharing ante the computer hosts. 
A brief background of prior work relative to SASS 
follows. O’Connell and Richardson originated the design of a 
secure family of operating systems. Their design provided 
two basic parts for their system -—- the supervisor (to 
provide operating system services) and the kernel (to 
provide for physical resource management). The design of the 
SASS Supervisor was completed by Parks Wale No 
implementation or further design effort on the supervior has 
Peiowed. to date. The initial design of the kernel was 
completed by Coleman [1]. That design descrited the kernel 
in terms of Seven modules: 
1. Gate Keeper Module - provided for ring-crossing 
mechanism and thus isolation of the kernel. 


2. segment Manager Module --~- provided for management of 
Segmented virtual memory. 


3. Traffic Controller Module -- multiplexed processes 
onto virtual processors and supports the inter- 
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process communication primitives Block and Wakeup. 
Block and Wakeup. 


4. Non~Discretionary Security Module ~~ mediated 
non-discretionary security access attempts. 


5. Inner Traffic Controller Module -~- multiplexed 
virtual processors onto real processors and 
provided the Kernel synchronization primitives 
Signal and Wait. 


6. Memory Manager Module -- managed main memory and 
secondary storage. 


7. Input-Output Manager -- managed the moving of 
. information to external devices outside the 
boundaries of the SASS. 
Refinement of the kernel design and partial implementation 
was completed by Gary and Moore [4] in conjunction with 


Reitz [9]. The resultant description of the kernel as a 


result of their work was: 


1. Gate Keeper Module 

2. Segment Manager Module 

5S. Event Manager Module -- worked with the 
Traffic Controller to manage the event 
data associated with the IPC mechanism 
of eventcounts and sequencers. 

4. Non-Discretionary Security Module 

5. Traffic Controller Module -- replaced 
Block and Wakeup with Advance and Await 
(to implement Supervisor IPC mechanism of 
eventcounts and sequencers). 

6. Memory Manager Module 


7. Inner Traffic Controller Module 


Reitz implemented the Traffic Controller Module and Inner 


Traffic Controller Module. Gary and Moore completed a 
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detailed design of the Memory Manager, originated the Memory 
Manager code (written predominantly in PLZ/SYS), selected a 
thread of the code, hand compiled it into PLZ/ASM and ran it 
on the Z8802 developmental module. 

The design and implementation works mentioned above 
provided the design base for this implementation. 
Refinements were made as needed and are discussed in 
Appendix G of this thesis. A broader description of the 


current state of SASS will be provided in the next section. 


B. SECURE ARCHIVAL STORAGE SYSTEM OVERVIEW 

This section presents a brief Summary of the current 
design state of the Secure Archival Storage System. The 
purpose of this Summary iS to provide continuity (interface) 
between this and previous work relative to SASS, and to 
enhance underStanding of the evolution of the more detailed 
and system specific information provided later in this 
thesis. 

1. Levels of Abstraction 

The original design for a family of secure, 

distributed operating systems (which was the basis for the 
development of SASS) used effectively the concept of levels 
of abstraction as a design methodology tool. Just as this 
tool allows for (clarity and Simplification in 
conceptualizing and designing a syStem, it also enhances the 


ability to clearly and succinctly describe that systems 
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design. Thus, an abstract syStem overview (description) of 
SASS will be presented here. Figure 1 represents that 
overview (illustrated for a Single host system for clarity). 
There are four levels of abstraction: 

Level 3 -- the Host computer systems 

Level 2 -— the Supervisor , 

Level 1 -—— the Kernel 

Level @ -—— the Hardware 
The Gate Keeper Module is logically the boundary between the 
Supervisor and the Kernel and thus will not be discussed 
within either of these levels, but rather separately. 

2. Level Three — Host Computer(s) 

Level three consists of the Host computer systems. 

There may be a variable number of host computers of any type 
(e.g@., micro, mini, etc). Bach host may be used to create 
and manipulate files of a fixed, predetermined degree of 
sensitivity (or security classification). Once a user of a 
host computer syStem completes work on a particular file, 
they can permanently store that file on the SASS (and, of 
course, may later again access the same file by requesting 
the SASS to provide it to them). Each host computer system 
is individually wired to an I/O port of the Z80@1. Each of 


the ports has fixed access level. 
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Figure 1. SASS System Overview (Single Host) 





If a multilevel secure Host desires to handle data 
at two levels (e.g., secret and unclassified), it will use 
two connections to the SASS. Physical and/or cryptographic 
protection of the hardwire connections is assumed. 

5S. Level Two — Supervisor 

Level two is the Supervisor. A proper description of 
the Supervisor is ‘that component of the SASS that executes 
in the outer, less privileged domain (normal mode) of the 
Z8@G1 microprocessor, and is responsible for the SASS - Host 
computer interface’. Integral to this description (and the 
Kernel’s description) is the concept of a domain, that can 
be described using four other terms that also need to be 
defined: ‘process, address space, ‘segment, and 
“segmentation . Madnick and Donovan [5] define a process as 
the locus of points of a processor executing a collection of 
programs; the collection of programs and data that are 
accessed ina process forms that process’s address space. A 
segment is defined as a logical grouping of information, 
such as a subroutine, array, or data area, and segmentation 
is defined as the technique for managing segments of an 
address space. It is convenient then, since the SASS uses 
Segmentation aS a memory management scheme, to more 
specifically define a SASS process address space as the 
collection of segments that are accessed (or are accessible) 
in that process. A domain is conceptualized in SASS due _ to 


the necessity to isolate the Kernel from all possible 
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outside influences. To achieve this, a process” address 
Space is divided into a hierarchial arrangement of segment 
accessibility, viz., a set of hierarchial protection domains 
called protection rings. In SASS, there are two domains 
implemented (and necessary as a minimum): the Supervisor 
domain and the Kernel domain. The 7Z80@1l microprocessor 
provides the SASS with two execution modes that, along with 
Kernel software, implement these domains: a system (Kernel) 
mode that provides access to all segments (and machine 
instructions), and a normal (Supervisor) mode that provides 
access to a subset of the segments (and machine 
instructions). Thus, the Supervisor operates in the outer or 
less privileged domain. 

The Supervisor contains those segments of the system 
that are necessary to perform the SASS - Host computer 
system interface (construct and manage a file hierarchy and 
control I/O between the SASS — Host). It is built upon the 
Kernel and performs the Host’s requests by calls to the 
Kernel (the calls are validated by the Gate Keeper prior to 
invocation of Kernel functions). Two surrogate processes, 
input/output (1/0) and file management (FM), are assigned to 
each Host computer system at system generation. The FM 
meoedss! directs all interaction between the SASS and a Host 
computer system. Specific functions include the management 
of the Host’s file hierarchy (using the FM Known Segment 


Table (FM EST) as a database) and~ discretionary security 
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access management (checking and maintaining an Access 

Control List (ACL) for each file within the file hierarchy). 
Controlling discretionary security with an ACL allows 
‘authorized users to specify who may use segments (files) 
within the confines of the non-discretionary security 
policy. Discretionary security will be defined and discussed 
in more detail in chapter II. 

The I/0 process acts in a slave mode to the FM 
process and is responsible for all input/output between the 
Supervisor and the host computer systems. Data is 
transferred between the Host and the SASS via fixed size 
“packets (a grouping of data ina specified format). To 
transmit and receive packets between the Host and the SASS a 
“protocol (or formal pasSing method) must exist between 
them. The I/O process is responsible for the SASS—Host 
protocol (Parks [7] designed a multi~packet protocol). Parks 
provides a detailed description of the Supervisor as it was 
originally designed. 

4. Gate Keeper Module 

The Gate Keeper is a software ring~crossing 
mechanism that provides for the isolation of the Kernel 
(viz., making the Kernel procedures tamperproof). The notion 
of a "ring-crossing’ mechanism is an extension of the 
previous discussion of domains Since “protection rings’ is 
simply another term for hierarchial domains (such as the 


SASS arrangement of the Kernel and the Supervisor). All 


ee 





calls to the distributed kernel and [PC with the Memory 
Manager muSt pass through the Gate Keeper (viz., it is the 
.sole entry point into the Kernel from the Supervisor). The 
Gate Keeper is a trap handler; when invoked by the 
supervisor domain of a process, it must save the supervisor 
domain registers and Stack pointer. The argument list 
provided by the supervisor domain’s call (included in this 
list must be the identity of the kernel domain function 
(procedure) being called) is validated and, if correct, 
results in invocation of the appropriate procedure. Hardware 
Daeemouetmcerrupts ere masked upon entry into the Kernel. 
When returning (exiting the Xernel) the following actions 
occurs (1) software virtual preempt interrupts are unmasked 
(if a virtual preempt interrupt has occurred, the Traffic 
Controller’s virtual interrupt handler is called .vice the 
Kernel being exited), (2) hardware interrupts are unmasked, 
(3) the return arguments are passed to the Supervisor, and 
(4) the Supervisor domain stack pointer and registers are 
Does tomeu, returning the execution point to the Supervisor 
domain. An error code is returned and the Kernel is not 
invoked when an invalid call is encountered by the Gate 
Keeper. The database of the Gate Keeper is the Parameter 
Table. This table contains an entry for each permitted 
kernel function (e.g., Create Segment, Delete Segment, etc.) 
and is used to validate the correctness of the range (size) 


of the parameters passed. 
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ee Level One — Kernel 
Level one is the Security Kernel (or Kernel). The 
Security Kernel in the inner or most privileged domain 
(system mode of the Z8@@1) and is responsible for managing 
the real resources of the hardware syStem (viz., memory, 
microprocessor, external devices, and inodut/output ports), 
and for enforcing the non-discretionary security policy for 
the SASS. The Kernel is divided into two major components. 
The first is the distributed kernel, i.e., the modules in 
the Kernel whose segments are placed in (or distributed in) 
the address Spaces of each Supervisor process; the 
distributed kernel consists of the Gate Keeper (already 
discussed), the Segment Manager, the Event Manager, the 
Traffic Controller, and the Inner Traffic Controller. The 
A arene component is the non-distributed kernel and consists 
of the ‘asynchronous memory manager process (which is 
contained entirely within the Kernel address Space). There 
is a memory manager process for each hardware processor in 
the SASS. The eeilowabde section will identify and briefly 
describe each of the Kernel “s distributed and 
non-distributed system components. 
a. Segment Manager 
The Segment Manager (the focal point of this 
thesis) is a cOmponent of the distributed kernel; its 
function is the creation and management of a segmented 


virtual memory for the process. Actual memory management 
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functions are completed via calls for IPC to the Memory 

Manager process. Calls to (viz., entries into) the Segment 

Manager are received via the Gate Keeper from the 

Supervisor. These entries (viz., extended instructions) are: 
1. Create Segment -- add a new segment to the SASS. 


2. Delete Segment -- remove a Segment from the SASS. 


3. Make Known -- add a segment to a process” address 
Space. 
4. Terminate -- remove a segment from a process’ 


address space. 
5. SM Swap_In -- move a segment from secondary 
Storage to main memory. 
6. SM Swap Out -—- move a segment from main memory 
to secondary storage. 
The process local database used by the Segment Manager is 
the Known Segment Table (KST). The XST contains entries for 
all segments in the address space of that process. The 
segment Manager will be described in more detail in chapters 
II and III. 
do. Non~Discretionary Security Module 
The Non-Discretionary Security (NIS) Module is a 
component of the distributed kernel; its function is the 
enforcement of the non-discretionary security policy in 
effect in the SASS. Although the implementation presented in 
this thesis reflects the DoD non-discretionary security 


policy, any security policy that can be represented by a 
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lattice structure may be Similarly implemented. To implement 
a different policy (e.g., Privacy Act or a local policy) 
requires only replacement of the Non-Discretionary Security 
Module (viz., the modules calling it can be left intact with 
no changes required to them). The NDS Module creates the 
extended instruction set CLASS_ EQ and CLASS_GE. The 
Non-Discretionary Security Module and the information 
security concepts which form its basis will te discussed in 
more detail in chapters II and mi. 
Cc. Event Manager 

The Event Manager is a component of the 
distributed kernel, it is invoked by the Supervisor 
processes via the Gate Keeper. This module’s function is to 
manage rent tears Event data is associated with a global 
object (called an eventcount). An eventcount is a count of 
the number of events ere the number of read or write 
accesses of a segment) that have occurred so far in the 
execution of a system. In SASS, as a naming convention, each 
Supervisor segment has two eventcounts associated with it. 


These eventcounts (Instancel and Instance2) are stored ina 


Memory Manager database. The Event Manager creates the 


extended instruction set READ and TICKET; they are based on 
the mechanism of eventcounts and sequencers (used for the 
Synchronization of concurrent processes). READ is a call 
that returns the current value of the eventcount. TICKET, 


using a nondecreasing integer called a sequencer (also 


ZO 


-_ 
= > 
=~ 
_ =_> 
@& a 
« 
—— a = 
EEE 
—_ s 
=P a 
-_ =, 
a = 











associated with each Supervisor segment), provides a 
complete time ordering of possibly concurrent events. Each 
invocation of the function TICKET increments the value of 
the sequencer and returns it teas the caller. The 
eventcounts/sequencer synchronization mechanism is described 
in detail by Reed and Kanodia [8] while an excellent 
abridged discussion is presented by Gary and Moore [4]. 
d. Traffic Controller 

The Traffic Controller (TC) is a component of 
the distributed kernel; it is responsible for multiplexing 
processes onto virtual processors. A virtual processor is a 
data structure that contains a complete description of a 
process in execution on a physical processor at a given 
instant. A complete description is defined to consist of 
the execution point or current CPU state and the address 
space (set of segments accessible by that process) of the 
process in execution. The Traffic Controller also creates 
the extended instructions ADVANCE and AWAIT which are used 
to implement eventcounts and sequencers, the inter-process 
communication (IPC) mechanism invoked by the Supervisor, and 
the extended instruction PROCESS CLASS. PROCESS CLASS is 
invoked by the Segment Manager and returns the _ labvel 
(classification) of the current process. The Traffic 
Geantroller is half of a two level traffic controller; the 
Other half is the Inner Praffic Controller, which 


multiplexes the virtual processors onto physical processors. 
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The database for the Traffic Controller is the Active 
Process Table (APT), a fixed Size, System wide database, 
that contains a permanent entry for each Supervisor process 
created at system generation (in the SASS the processes are 
then active for the life of the system). The APT structure 
is Shown in figure 2. The scheduling algorithms and a 
detailed discussion of the current Stare of the Traffic 
Controller are provided by Reitz [9]. 
we inves Traffic Controller 

The Inner Traffic Controller (ITC) is a 
component of the distributed kernel; it is the other half of 
the two level traffic controller and its function is to 
multiplex (temporarily bind) virtual processors (VP) to the 
real processors of the system; a design choice was made to 
provide each system CPU with a small fixed set of virtual 
processors. Two of the VP’s are the Memory Manager VP and 
the Idle VP (the latter is permanently tound to the lowest 
priority virtual processor and is scheduled by the ITC only 
when there is no useful work for the CPU). The remaining 
VP’s have Supervisor processes temporarily bound on them by 
the Traffic Controller. Another function of the ITC is to 
furnish inter-process services for VP’s in the kernel ring. 
This is done by providing the primitives SIGNAL and WAIT, 
that are used by processes in the Kernel ring to communicate 


with other Kernel ring processes. 
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Figure 2. Active Process Table 
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ims is the mechanism used within the Kernel to provide 
multiprogramming (process switching). The ITC Module creates 
the extended instruction set: SIGNAL, WAIT, SWAP _VDBR, IDLE, 
SET PREEMPT, TEST_PREEMPT, and RUNNING_VP. The functions of 
SIGNAL and WAIT have been discussed already. SWAP _VDBR 
provides the TC with a means to schedule processes on the 
currently running VP. IDLE loads an “idle process on the 
currently running VP. SET_PREEMPT sets the virtual preempt 
interrupt flag on a specified YP (specified by the TC). 
TEST PREEMPT provides the Vir wad preempt unmasking 
mechanism that is executed each time a process tries to move 
from the Kernel to the Supervisor domain. The database used 
by the Inner Traffic Controller is the Virtual Processor 
Table (VPT). There is one SyStem wide table with entries for 
each physical processor in the system. The VFT for a single 
processor system (such aS SASS) iS Shown in figure 4. The 
scheduling algorithms and a detailed discussion of the 
current state of the Inner Traffic Controller are provided 
by Reitz[9]. 
f. Memory Manager 

The Memory Manager Module is the only component 
in the non-distributed kernel. There is a Memory Manager 
process dedicated to each physical processor (CPU) in the 


system. 
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The Memory Manager is responsible for manazing 
the real memory resources of the system, viz., local and 
global main memory and secondary storage. The memory manager 

manages the local and global memory in such a way as_ to 
control bus contention in the mul ti-~microprocessor 
environment. Thus, each CPU has its own local memory to 
store process local segments and there is a global memory to 
which every CPU has access and in which shared, writeable 
segments must be stored. This requirement is to ensure that 
a current copy is always accessed for a shared, writeable 
segment. To keep bus contention between processors” that 
access global memory to a minimum, whenever possible (viz., 
in all cases but shared, writeable segments) segments are to 
be stored in local memory. The Memory Manager has several 
databases, primary of which are the system wide Global 
Active Segment Table (G_AST) and the per processor Local 
Active Segment Table (L_AST). A more detailed description of 
the Memory Manager Module iS presented in chapters II and 
LE lve 
6. Level Zero - Hardware 

The Z8@@1 microprocessor, 260128 Memory Management 
Unit (MMU), local and global memories, and secondary storage 
form the SASS” basic hardware group. Since the design calls 
for SASS to exist in a multi-microprocessor environment, 


there will be multiple copies of some elements of the groun, 


@.g-,CPU, local memory. The 28001 microprocessor is a 
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register oriented machine that has Sixteen 16-bit eeneral 
purpose registers. When operated with the MMU, the desired 
capabilities of memory segmentation, multiple domains, and 
process switching are realized. The MMU consists of a set of 
registers (64) to implement the descriptor list (or 
descriptor segment); viz-., each register contains the 
descriptor (containing the attributes) of a particular 
segment. Zilog [14] provides a detailed description of the 
28081 microprocessor and Zilog [15] describes the 28919 MMU. 


C. STRUCTURE OF THE THESIS 

This thesis describes the implementation of the segment 
management functions for the SASS. The design base evolved 
from the original secure family of operating systems 
identified and designed by O°Connell and Richardson. A block 
Structured language, FPLZ/SYS, was used in this and previous 
design efforts, while implementation was completed using 
PLZ/ASM assembly code. PLZ/SYS is described by Snook [12] 
and Conway [2] while PLZ/ASM is describded by Zilog [13]. A 
compiler for PLZ/SYS to PLZ/ASM code translation was not 
available. As a result, implementation included the added 
step of manual translation of PLZ/SYS code to PILZ/ASM code 
to facilitate testing and debugging. 

In this chapter an introduction to SASS was provided 
through discussion of its background and an overview of the 


entire system. A summary of the extended instruction sets 
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created by the Kernel components and a Summary of the Kernel 
databases is presented in figures 4 and 5. 

Chapter II of this thesis will present a description of 
the segment management functions in SASS. Discussion of the 
theory behind information security and its implications to 
SASS is also provided. The modules encompassed by segment 
management will be discussed in terms of their design, 
functional purpose, and database descriptions. 

Chapter IT! pean the implementation of segment 
management (viz., the segment manager, non-discretionary 
security, and distributed memory manager modules). 
Description of design and implementation criteria, and 
choices made during implementation are discussed in this 
chapter. 

Chapter IV provides the conclusions reached, status of 
research, and recommendations relative to continuation and 
extension of the work. | 

Appendices include PLZ/ASM code for the modules, the 
program listings for the Segment Manager BER Ona tation and a 
summary of the refinements made to previous design/code 


relative to SASS. 
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IIT. SEGMENT MANAGEMENT FUNCTIONS 


A conceptual discussion of the functions associated with 
segment management is presented in this chapter. As 
previously mentioned, two dominating goals of SASS were to 
provide multilevel controlled access to information and to 
provide for controlled sharing of information. The major 
factor in controlled access (which, in effect, refers to 
information security) and in information sharing is the 
concept of segmentation. Segmentation, data sharing, and 
information security will te discussed relative to their 


value to SASS. 


A. BASIC CONCEPTS/DISCUSSION 
1. Segmentation 

Segmentation has previously been defined as the 
technique for managing segments of an address space where a 
segment is defined to be a logical grouping of information 
which possesses the qualities of having uniform attributes, 
being logical (vice physical), being visible to the user and 
being arbitrary in size. Based upon this notion, a process” 
address space is then viewed as consisting of the collection 
of segments that the process may access. In a Segmented 
environment all addresses require two components: (1) a 
Segment specifier (number) and (2) the location (offset) 


within the segment. Each segment may have attached to it 
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logical attributes that enable certain important control 
features to be implemented. Controlled access and 
information sharing implementation is specifically 
facilitated. By including classification and access 
information in a segment’s logical attributes, a method to 
em: orce information security is provided. Segmentation 
supports information sharing since it allows a segment to 
belong to more than one address space, that is, a single 
physical copy may be accessed by more than one process. 
Controlled physical sharing of information (within access 
constraints) is achieved, in the case of SASS, by putting 
segments which are shared and writeable into the system’s 
global memory (vice a copy in each local memory). 

Segmentation also facilitates the implementation of 
multiple protection domains in SASS. A process” address 
space is divided into domains or arrangements of segment 
accessibility. The Kernel domain is the most privileged and 
meemerudes all segments of the address Space, while the 
supervisor domain is less privileged and excludes segments 
representing the management of the shared resources by more 
than one aeeese: 

2. Data Sharing 

The facility to share a single segment (and thus a 
Single copy of the information to be accessed) by many 
processes is a Significant feature that is facilitated via 


segmentation. In short, by processes sharing a common 
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physical copy of a segment, there is no requirement for 
mepricate copies and thus no possibility exists of having 
copies that are not up to date. In SASS, given the global 
memory/local memories environment, the policy is to put 
copies of segments in local memory except in the case of 
Shared and writeable segments, which are placed in global 
memory for sharing purposes among processes with the 
appropriate access. 

Segmentation is vital to this policy since only 
through explicit segmentation can SASS know the read/write 
properties of the information. Thus, Segments which are 
shared but have read only access (by all processes that may 
access it) are not put into global memory but rather into 
the local memory of each of the processes that may access it 
(viz., multiple copies exist). There is no possibility of 
the multiple copy/ out of date copy problem since only read 
access is allowed. However, this is a seeming waste of 
memory and nonuse of the sharing facility provided by 
segmentation. The justification is based on a2 design 
decision motivated by another goal of SASS -~- reduction of 
bus contention among processors accessing global memory. 
This is considered to be of more importance than the saving 
of memory space offered by single copy sharing of 
information; as stated before, the cost of memory has gone 
down significantly in the last few years thus reducing its 


influence on decisions such as this. 
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3S. Information Security 


Information security in a computer environment only 


recently began to receive the attention that it deserves. 


Few people have been far Sighted enough to view computer 


security in an analogous manner to communications security 
(an area which has received considerable military and 
commercial attention throughout history, especially since 
the advent of electronic communications). Only through harsh 
and embarrassing lessons has the importance of computer 
security being recognized. The range of problems encountered 
covers virtual every level of computer usage: banks and 


commercial enterprises are victims of theft through the 


felonious use of computers; universities are the victims of 


undesired users entering their systems and either 


maliciously or accidentally destroying valueble programs; 
and the military faces the real possibility that classified 


mat@€rial is being accessed by foreign agents without our 


knowledge and/or crucial systems are being tampered with 
without our knowledge. The effects of these type actions may 
be as small as simple embarassment or as serious as 
undermined military preparedness. It should te clear that 
information security is a serious issue. Definitively, this 
thesis will consider information security as the process of 
providing controlled access to information based on proper 
authorization. A pertinent information security goal is to 


provide a ‘multilevel” information security environment 
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(that is, an environment where multiple levels of sensitive 
information and user accessibility to that information exist 
together in a manner such that security is not compromised). 
The key to achieving computer security lies with the concept 
of the security kernel’. A discussion of this concept and 
some supporting definitions is provided in the next section. 
ae Basic Security Principles 

The protection of secure information in computer 
systems is affected through two types of control: (1) 
external controls -~ where physical means are used to 
securely isolate the computer system (e.g., an armed guard) 
and (2) internal controls -- where the computer itself 
provides protection by distinguishing information security 
levelsS and user accesibilities. Although the discussion in 
this thesis centers around internal controls, external 
controls are also a viable and important aspect of the SASS 
(and other computer system’s) information security. As 
previously stated, the key (or answer) to computer security 
lies in the security kernel concept. Schell (11] provides a 
detailed development of the theory behind this concept. The 
security kernel is defined as that part of the computer . 
system’s hardware and software which enforces the authorized 
access relationships between the user/process (subject) and 
the accessed information (segment or object). 

An important aspect to the development of a 


secure kernel based syStem is the security policy to be 
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mamorced. There aré two distinct aspects of security policy. 
The first is the non-discretionary (mandatory) policy that 
externally constrains what access iS permissable;s this 
policy is manifested and implemented in an arrangement where 
information in the form of a segment (called an object ) is 
labelled as to its sensitivity; the same is done with the 
party requesting access (the user/process, called a 
“subject ). The relationship between the subject and object 
“labels that leads to an access permission or denial is 
defined by a lattice structure [3]. This lattice structure 
concept will be discussed in the next section. The second 
aspect of security policy is the discretionary policy, which 
is a refinement within the non-discretionary constraints. It 
is emphasized that discretionary security is ace 
within (and in no way substitutes for) non-discretionary 
security. An example is the need to know policy of the 
DoD. Implementation of the discretionary security policy for 
SASS is accomplished in the Supervisor through the 
maintenance of an Access Control List (ACL) for each file in 
the file hierarchy. kach access attempt to a file is checked 
against the ACL and access is granted in accordance with 
that check and the non-discretionary security check 
(whichever eranted the least access). This allows the users 
to specify (subject to non-discretionary security 
constraints) who may access their files. Since the 


implementation of the discretionary security policy is not a 
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part of this thesis, a detailed discussion is not provided. 
Parks [7] eos = adiscretionary security policy design 
mor SASS. 

Implementation of a security policy requires an 
eetess of and consideration for several basic security 
properties which are briefly defined below. 

The Simple Security Condition restricts a 
subject’s read access to objects whose classification is 
equal to or less than than the subject’s classification (the 
term classification will hereafter be used to indicate a 
degree of sensitivity or security importance). 

The Confinement Property (or °*-property  ) 
restricts a “subject ’s write access to objects whose 
classification is equal to or greater than the subject’s 
classification. This property prevents a2 subject from 
writing to an object of lower classification where another 
subject (of less than the original subject’s classification) 
would have potential access thus violating security. 

The Compatibility property has as a basis the 
hierarchial structure of the objects (segments) of SASS. The 
objects of SASS are hierarchially organized in a2 tree 
structure. The structure consists of nodes, leaves, anda 
root from which the tree eminates. A node (an alias table 
that contains a list of a eeiasiieis for segments) is directly 
associated with a Segment that is the “mentor for one or 


more segments. A leaf, viz., a segment, is not an alias 
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table but may be a mentor segment (with the Same access 
class as the alias table). The Compatibility property 
basically states that the object access classification must 
be non-decreasing in moving from the root down the hierarchy 
(viz., the access classification of a child must be greater 
than or equal to its parent). 
db. Lattice Modet Abstraction 

a lattice model of secure information flow 
concept (discussed by Denning [3]) permits concise 
tormulations of the security requirements of different 
systems and facilitates the construction of mechanisms that 
Entorce security. Specifically, the relationship between 
classifications can be represented by a partially ordered 
lattice structure (examples illustrating this concept are 
presented in the next section). Authorizations for access 
(or decisions on compatibilty) then are based on this 
lattice. With the properties previously discussed as a 
basis, the accesses permitted are defined below (‘sac is 
the abbreviation for ‘subject access classification and 
oac. for ‘object access classification and “| denotes 
“not related’): 

1. sac = oac, read/write permitted 

2. sac oac, read permitted 


» 
3. sac < oac, write permitted 


4, sac Ooac, no access permitted 
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Case 3 represents a subject ’s ability to ‘write 
up, which is a capability not supported in SASS; thus for 
SASS, case 3 is more accurately represented as; 

3. sac < oac, no access permitted 
Meetnis point. no design detail has been provided for the 
representation of a classification or for defining how two 
classifications are compared and determined to be ‘equal’, 
“greater than , “less than , or unrelated (viz., what does 
Sac>oac mean?). The next Section will illustrate these ideas 
both generally and by examples. 

c. Examples 

Based on military influence, the examples 
provided are reflective of a subset of the DoD 
non~-discretionary security policy. A classification (or 
label) is defined to have two parts: (1) a level (e.g., top 
pecret, Secret. COMTIGEmti dijweeon suncldssitied ~in the 
example) and a category (e.g. Crypto (Cy), Nato (N), Nuclear 
(Nu), or empty (%) in the example). In the actual 
implementation (chapter III), provisions will be made for 
eight levels and sixteen categories. (In some reference 
texts, levels are called categories and categories are 
called compartments). The levels are defined ty a totally 
ordered. relationship where all levels are related: 

Top Secret > Secret > Confidential > Unclassified 
or 


oes > 7. U 
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The categories are defined as “disjoint” (no relationship 
exists when comparing individual categories with other 
individual categories). The classifications (labels) ( the 
concatenation of level with category) then are defined to 
have a ‘partially ordered relationship since some but not 
all classifications are related. The cases to be illustrated 
will be illustrated throvgh a general case and then by 
specific examples. The general structure is defined by: 

Subject “s classification = (LS, {CS}) 

Object’s classification = (LO, {CO}) 
wheres 

LS = Subject’s level 

{CS} = Subject’s set of categories 

LO = Object’s level 

{CO} = Object’s set of categories 
The non~inclusive set of partially ordered examples will be 
chosen from a subset of the classifications derivatle from 
the set of totally ordered levels and the set of disjoint 
categories: 


{TS,S,C,U} and {Cy,N,Nu,%} 


Case I : Equal (sac =oac) 
General - LS = LO and {CS} = {CO} 
Examples - (TS,{Cy,N}) = (TS,{Cy,N}) 
=F toy) ) = (U0 aicy) ) 


Access - Read/Write 
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Case II: Greater than (sac > oac) 
(1) General - LS > LO and {CO} subset to {CS} 
Examples - (S,{N,Nu} ) > (c,{N} ) 
= (onpangay ) SelUnttta) 
(2) General - LS > LO and {CS} = {CO} 
Examples — (TS,{%} ) > (S,{%} ) 
= (5, GiNwN}) > (UFfNaZN}) 
(3) General - LS = LO and {CO} proper subset to {CS} 
Examples - (U, {Nu} ) > (U,{%} ) 
(TS,{Cy,N,Nu}) > (TS,{Cy} ) 


Access - Read 


Case III: Less than (Sac < o0ac) 
(1) General - LS < LO and {CS} subset to {CO} 
Examples - (S, {%} ) < (TS,{N} ) 
~ (U, {N,Nu}) < (C, {Cy,N,Nu}) 
(2) General - LS < LO and {CS} = {Co} 
Examples - (S, {%} ) < (TS,{%} ) 
QU iNNt) orc, IN, Nu} ) 
(3) General - LS = LO and {CS} proper subset to {CO} 
Examples ~— (U, {%} ) < (U, {N} ) 
~ (c, {N,Cy}) < (C,{N,Nu,Cy}) 


Access = no access (in SASS) 


Write (in principle) 


Case IV : Unrelated (sac | oac) 
(1) General - LS <,>,or = LO and {cs} } {co} 


f 
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Examples — (S, {N} ) ! (c, {Nu} ) 
- (C, iNu} ) | (S, {N } ) 
Sone ) 1 (TS suey ) 
(2) General - LS > LO and {CS} proper subset to {co} 
Examples — (TS,{%} ) |! (S, {N} ) 
~ (Cc, {N,Nu}) | (U,{N,Nu,Cy}) 
Explanation - there is a contradiction between 
the relationship of the levels and 
the relationship of the categories. 
Since this contradiction is 
unresolvable, the classification 
relationship must be ‘unrelated. 
(3) General - LS < LO and {CO} proper subset to {cs} 
Eramples — (S, {N,Nu} } ; (TS, {N}) 
- (u, {Cy} ) | (c. {%}) 
Explanation ~— same as above 
Access = No access 
feeeaApplications to the SASS 
The cases above are designed to identify each 
messivle relationship that exists between two labels. In the 
SASS, it is necessary only to identify cases I and II (label 
1 >= label 2), while lumping the other cases into a single 
case which represents ‘no access. MThiS arrangement 
encompasses enforcement of the Confinement Property, Simple 
Becurity Condition, and the Compatibility property. 


Enforcement must occur on every access attempt of an object. 
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A discussion of the implementation of non-discretionary 


security policy is provided in the next chapter. 


B. SEGMENT MANAGER 
1. Function 

The Segment Manager is the focal point of the 
meement management function. Using the per-process Known 
Segment Table as its database and the Memory Manager and 
Non-Discretionary Security Module in strongly supportive 
roles, it is responsible for managing the segmented virtual 
memory for a process. Its role can be viewed as Somewhat 


intermediary in nature (viz., between the Supervisor modules 


and the Memory Manager modules). The extended instruction 


‘set created in the Segment Manager includes the following 


instructions: CREATE SEGMENT, DELETE SEGMENT, MAKE _KNOWN, 


TERMINATE , SM _SWAP_IN, and SM SWAP OUT (note that the names 


for SWAP_IN and SWAP _OUT have been modified by preceding 
Smemewith oM@ ; this is strictly for clarity because the 
Memory Manager also creates two instructions called SWAP _IN 
and SWAP OUT). These instructions are invoked by the 
Supervisor domain of the process (viz., calls are made from 
the Supervisor domain via the Gatekeeper to the Segment 
Manager in the Kernel domain) to provide SASS support to the 
most. : 

In general, when the Segment Manager receives these 


calls, it performs certain checks to ensure the validity and 


security compliance (when required) of the request (call). 
These checks are performed using its own database (the KST) 
and by calls to the Non-Discretionary Security Module (when 
required). The Segment Manager invokes one of Six Memory 
Manager (more specifically, the Distributed Memory Manager 
Module) created instructions. These instructions include: 
MM CREATE ENTRY, MM DELETE ENTRY, MM ACTIVATE, 
MM DEACTIVATE, MM SWAP_IN, and MM_SWAP OUT. These invoked 
instructions (procedures) in turn perform interprocess 
communciations with the non-distributed memory manager 
process (where actual memory management functions are 
accomplished). These interprocess invocations and returns 
are accomplished throveh the use of the IPC primitives 
Signal and Wait. The Segment Manager returns the required 
arguments to the Supervisor by value (as passed back to it 
by the Memory Manager and/or determined within itself). The 
segment Manager performs actual segment numter assignment 
when a segment is made known to a process’ address space. It 
also performs any further database (KST) updating as may be 
required. A more detailed description of the specifics of 
the actions of the Segment Manager will be provided in the 


implementation described in Chapter III. 
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2. Database 

The Known Segment Table (KST) is the database used 

to manage Seements. The KST is described in its tabular form 

and PLZ/SYS structured representation in figure 6. There are 
several baSic and pertinent facts to be noted of the KST: 

1. It is a process local database; that is, each process 
has its own KST. 

2. The KST is indexed by segment number; each record 
of the KST consists of a set of fields (description 
information) regarding a particular segment. 

S. Entering information into the fields of a Segment 
is called “making a segment known . This simply 
refers to adding a segment to a process’ address 
space (viz., making a segment accessible to a 
process). 

4. In SASS, a correspondence exists between making a 
segment Known and making a segment ‘active ; i.e., 
when a2 segment is added to the address space of 
a process, this action results in an entry in the 
KST (making ‘known ) by the Segment Manager and an 
entry in the Global Active Segment Table (G_AST) 
by the Memory Manager process (making it active ). 
The G_ AST will be described later in this chapter. 

| AR proper description of the structure and fields of the KST 
is necessary at this point. Using the representation of the 


PLZ/SYS language structure, the KST is described as an array 





Oo records of fields of varying types. The fields are 
described separately below. Although the KST index is not in 
memelf afield in the record, it does perform 4 rather 
significant role. The KST index is an integer closely 
related to the segment number of the segment described in 
meats RST entry (viz., it is the subscript into the array of 
records). This Segment number also corresponds to the MMU 
descriptor register (number) for that segment. 

ies Ti eandle is the first field in a KST record. 
The MM Handle is a system wide unique number that is 
asSigned to each Segment with an entry in the G_AST (viz., 
every active segment). This nadie” is the instrument of 
controlled single copy Sharing of information (Segments). It 
allows a segment to exist under one unique handle but be 
accessible in the address space of more than one process 
(with different segment numbers in each address space). The 
MM Handle is returned to the Segment Manager by the Memory 
memdeer during the execution of the Make Known instruction. 

The Size field is an integer value (of language 
structure type word ) which represents the number of 256 
byte blocks composing a Segment. 

Diemenccemes Mocge  t1eld =i5 used to describe the 
process” access to the segment (i.e., null or read and/or 


write). 


ot 


The In Core field is used to indicate if the segment 
is or iS not in main memory (i.e., this field is a flag or 
true/false boolean switch). 

The Class field is a long word field used to 
represent the degree of eceration Semsitivity . (viz., 
access class) assigned to the segment. This field (for 
example) would be used fe numerically describe a 
Classification label (as described above}. 

The Mentor Seg Nr field is a number representing the 
segment number of a segment’sS parent or omentor segment. 
Its importance will discussed shortly. 

The S&ntry_Nr field is a number representing a 
Segment’s index number into itS parent or mentor segment’s 
Alias Table (not yet discussed). | 

The Alias Table iS a Memory Manager database and 
will be described later. The aliasing scheme provided via 
the alias tables is used to prevent passing system wide 
information out of the Kernel (i.e., the Unique_ID of a 
segment). The “alias of a segment is the concatenation of 
the Mentor Seg _Nr with the segment’s Entry_Nr (index) into 
the mentor segments Alias Table. It is clear that the last 


two fields of a KST record are the alias of that segment. 
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Figure 6. Fnown Segment Table. 
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C, NON—DISCRETIONARY SECURITY MODULE 
The key in protection of secure information uSing 
internal controls was identified as the security kernel 
concept. The basic idea within this concept is to prove the 
hardware part of the Kernel correct and, similarly, to keep 
the software part small enough so that proving it correct is 
feasible. A central component of the kernel software is the 
Non-Discretionary Security Module (hereafter referred to as 
the NDS Module). The NDS Module is concerned only with the 
non-discretionary aspect of the security policy in effect; 
since the discretionary aspect is subservient in nature to 
the non-discretionary aspect, it is then sufficient that the 
Kernel contain only the software representing the 
non-discretionary aspect of the security policy. The 
discretionary security is provided outside the kernel in the 
SASS supervisor. Every attempt to access information must 
result in an invocation of the NDS Module. 
The function of the NDS Module is to compare two 
Mise siirications (viz., compare two labels), aes a decision 
ms to their relationship (i.e., =,>,¢,/), ané return a 
true/false interpretive answer relative to the query of the 
calling procedure. The mechanism used as a basis is the 
lattice model abstraction previously discussed. The NDS 
Module does not require a database since the labels it 


compares are stored in (passed from) other Kernel databases. 
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D. MEMORY MANAGER 
mo Function 

The Memory Manager process is the only component of 
the non-distributed kernel. [It is responsible for managing 
the real memory resources of the system -- main (local and 
global) memory and secondary storage. It is tasked by other 
processes within the Kernel domain (via Signal and Wait) to 
perform memory management functions. This thesis will 
address the Memory Manager in terms of two components: (1) 
the Memory Manager Process (also called the nondistributed 
kernel and the Memory Manager Module), and (2) the 
distributed Memory Manager (also called the Distributed 
Memory Manager Module). The former is the “true. memory 
manager while the latter is the interface with other 
Miveesses, that is, it resolves the issue of interprocess 
communication with the ‘true’ memory manager. 

The Distributed Memory Manager Module creates the 
following extended is vruc tion set: imo. BNIST 
MM_DELETE_ENTRY, MM_ACTIVATE, MM_DEACTIVATE, MM _SWAP_IN, and 
MM_SWAP_OUT. poew nS URMet 2 Onsm ror the mechanism of 
communication between the Segment Manager of a process and a 
memory manager process (where the actual memory management 
functions are performed). The Memory Manager Process 
instruction set corresponds one to one with that of the 
Distributed Memory Manager; the set consists Oe: 


CREATE ENTRY, DELETE_ENTRY, ACTIVATE, DEACTIVATE, SWAP_IN, 
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and SWAP_ OUT. The basic functions performed ty tne Memory 
manager are allocation/deallocation of global and local 
memory and of secondary storage, and Segment transfers from 
local to global memory (and vice-versa) and from secondary 
storage to main memory (and vice-versa). 

2. Databases . 

A detailed and descriptive discussion of the Memory 
Manager databases is presented in the work of Gary and Moore 
[4] and the reader may refer to it for memory manager 
database details. This thesis addresses the implementation 
of the distributed Memory Manager but not the Memory Manager 
Process, thus brief descriptions are provided of the 
latter’s databases. 

The Global Active Segment Table (G_AST) is a system 
wide (i.e., shared by all memory manager processes) database 
used to manage all active segments. A lock/unlock mechanism 
memee-ea tO «6©6prevéeént race conditions from occurring. The 
distributed memory manager of the signalling process locks 
the G_AST before it Signals the memory manager process. 

The Local Active Segment Table (L_AST) ica 
processor local database which contains an entry for each 
peement active in a process currently loaded in local 
memory. 

The Alias Table is a SyStem wide database associated 
with each nonleaf segment in the Kernel. It is a product of 


the aliasing scheme used to prevent passing system wide 
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Mamcormarion. Ow Of | the Kernel. The alias table header 
(provided for file system reconstruction after system 
crashes) has two pointers, one linking the alias table to 
its associated segment, the other linking the alias table to 
the mentor Seement’s alias table. The fields in the alias 
table are Unique ID, Size, Class, Page Table_Loc, and 
Alias Table_Loc. The index into the alias table is Entry_No. 
The Memory Management Unit Image (MMU_Image, figure 
7) is a processor local database indered ty DER_No (viz., 
for each DBR_No there is a MMU_Image record, with each 
record containing a software image of the segment descriptor 
registers of the hardware MMU). The MMU_Image is an exact 
image of the MMU. Each record iS indexed by Seement_No 
(segment number) and each Segment_No entry contains three 
fields. The Base Addr field contains the sSegment’s base 
address in memory. The Limit field contains the number o? 
blocks of contiguous Storage for the Segment (zero indicates 
one block). The Attributes field contains 8 flags including 
5 which relate to the memory manager. The Elks_Used field 
and the Max_Blks (available) fields are per record (not per 
segment entry) and are used in the management of each 
process’ virtual core. 
The Memory Bit Maps (Disk EBit_Map, 
~Global_Memory_Bit_Map, and Local _Memory_Fit_Map) are memory 
block usage maps that use true/false flags (bits) to 


indicate the use or availability of storage blocks. 


ot 


The only database in the Distributed Memory Manager 
is the Memory Manager CPU Table. It is an array of memory 
manager VP_ID’s (MM_VP_ID) indexed by CPU number. This table 
enables a Signalling process to identify the appropriate 


memory manager process (virtual processor) to signal. 
| 


BE. SUMMARY 

The segment management functions and key related 
concepts (such as segmentation) were discussed in this 
chapter. The importance of segmentation to data Sharing and 
information security was emphasized as were key information 
Security concepts. With this background, the implementation 
of segment management and a non-discretionary security 


policy will be described in Chapter III. 
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III. SEGMENT MANAGEMENT IMPLEMENTATION 


aaa a esau ap 


The implementation of segment management functions and a 
non-discretionary security policy is presented in this 
Seaprer. Paramount to this implementation were several key 
issues that affected the implementation. These issues are 
discussed first. The implementation is discussed in terms of 
the Segment Manager, Non-~Discretionary Security (NDS), and 


Distributed Memory Manager modules. 


A. IMPLEMENTATION ISSUES 

Segment management for the SASS was provided through the 
implementation of the Segment Manager Module, the NDS 
Module, and the Distributed Memory Manager Module. 
Additionally, since a demonstration/testbed was integral to 
the testing and verification of the implementation, it was 
necessary to complete other supportive tasks. Reitz [9] 
meoviaed @ demonstration of the operation of the Inner 
Traffic Controller primitives SIGNAL and WAIT (for 
interprocess communication). Integral to this demonstration 
was the correct performance of the Inner Traffic Controller 
VP scheduling mechanism and a ‘stub of the Traffic 
Controller and its process scneduling mechanism (the TC 
3 Support and use of tne mechanism of eventcounts and 
sequencers was not a part of the demonstration). The Segment. 


management demonstration (hereafter referred to as 
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“Seg Mer.Demo.) was built on top of Reitz” Enc 
Synchronization primitive demonstration (hereafter referred 
to as Sync. Demo’). Thus, an immediate issue was to resolve 
the feasibility of adding on to Syne.Demo and also to refine 
mee present design of the Syne. Demo to facilitate its 
integration into the See Mer.Demo. One aspect of this effort 
was in resolving the problem of how to pass (i.e., in 
interprocess communication) a larger message. 
a. tnterprocess Messages 

The Sync.Demo passed word (16 dit) messages. To 
provide the mechanism for the distributed memory manager to 
signal the memory manager process with a command function 
identification code and the arguments needed to perform that 
function (e.g., CREATE-ENTRY and its input arguments), a 
message size of at least eight words (16 bytes) was 
necessary. An obvious answer was to signal with an array of 
eight words as the message. PLZ/SYS, however, does not allow 
passing arrays in its procedure calls (a procedure call is 
analogous to a subroutine call). Another alternative was to 
Signal with a pointer to the array of words, since PLZ2/SYS 
does allow passing pointers in procedure calls (thus the 
message would be a pointer to the real message). This, 
however, would be invalid in the segmented implementation 
(on the 28222 segmented microprocessor) since iaemeean 
segment numbers in different processes may not refer to 


identical segments. For example, a pointer in a process 
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(e.g., file management) points to an array (i.e., provides 
its address) by segment number and offset; passing this 
pointer to another process (€.2., memory manager) would 
mrovide this same segment number and offset which, of 
course, may be a different object in the second process’s 
address space). 

Another alternative considered was that of a shared 
“Mailbox segment with an associated eventcount acted on by 
the Kernel Inner Tret fic Controller primitives 
TICKET,ADVANCE and AWAIT. A deSign for uSing this concept in 
the supervisor ring is provided by Parks [7]. This 
alternative was not deeply considered since these primitives 
maemnot ancluded in the current Inner Traffic Controller. 

The method ultimately used to Signal the new length 
messages is based on the fact that the ITC is in both the 
Signalling and the receiving (memory manager) processes” 
address space. The message is loaded into an array in 
process #1 and a pointer to the array is passed in the call 
SIGNAL; the VPT, the ITC’s database, is then updeted ty 
(using the pointer) putting the message into its MSG _Q 
section. The message is retrieved by process #2 by execution 
of Reitz” WAIT primitive with only one refinement. That 
refinement is for the waiting process to provide as an 
argument (in the WAIT primitive) a pointer to its own 
message array so that the message in the VPT can be copied 


morit. 
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This refinement provides for passing a long message 
essentially ‘by value between processes. 
2. structures as Arguments 

Another issue concerned the use of pointers in the 
implementation of segment management. This necessary ‘evil 
is a result of the need to pass linguistically “complex™ 
data types in procedure calls. Complex types refer to array 
and record structures in PLZ/SYS (as opposed to the simple’ 
types-~byte, word, integer, short~-integer, long, and 
pointer). In managing databases (e.g., KST, G_AST) which 
consist of arrays of records (which in turn contain records 
and/or arrays), it was freauently necessary to reference 
data as an array or record. Within a process, the use of 
pointers was not a problem (i.e., not a problem such as 
would be encountered in IPC passing of pointers). 

5. Reentrant Code 

The issue of code reentrancy was addressed at the 
assembly language level through the use of a stack segment 
and registers for storage of local variables. PLZ/SYS (high 
level language) does not address reentrant procedures and 
thus the Segment management high level code is not 
automatically reentrant. The problem of reentrancy can be 
seen by looking at a shared procedure that is not reentrant; 
such a procedure has storage for its variables allocated 
Statically in memory. Suppose a procedure (e.g., in the 


Kernel) can be activated by more than one process. While the 
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procedure is executing in one process, a process switch 
occurs (e.g., to wait for a disk transfer) and its execution 
is suspended. The second process is activated, and while it 
is running it invokes the procedure. While the procedure is 
executing for the second process it uses the same storage 
space for variables as it did when executing for the first 
process. Eventually, it relinquishes the processor. However, 
when the procedure reSumes itS execution for the first 
process, the variable values that were in use by it 
originally have been changed during its execution in the 
second process. Thus, incorrect results are now inevitable. 
4. Process Structure of the Memory Manager 

References to the Memory Manager in past works 
have generally meant the memory manager process 
(non-distributed kernel). This work references two distinct 
components of the ‘memory manager module. The Distributed 
Memory Manager iS an interface provided to the Memory 
Manager Process. It is, in fact, distributed in the address 
Space of each Supervisor process. In contrast, the Memory 
Beandeer Process clearly is not distributed and its address 
Space iS contained entirely in the Kernel. 

5. Per-Process Known Segment Table 

Another key issue was that of the per process 
segment Manager database, the KST. Since each process has 
its own KST, it cannot be linked to the (shared) segmert 


manager procedures. To implement the KST as @ per process 
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database, it was convenient to establish, by convention, a 
KST segment number that is consistent from process to 
process. That Segment in each process is the XST Seement for 
that process. Implementation is then accomplished by using 
the segment number to construct a pointer to the base of the 
appropriate KST. It is then easy to calculate an appropriate 
offset to index any desired entry in the KST data. 
6. DBR Handle 

In Reitz’s implementation of the multilevel 
scheduler and the IPC primitives, references to ‘DBR’ 
(descriptor base register) are references to an address. 
Daesteaddress value represents a pointer to an MMU_IMAGE 
record containing the list of descriptors for segments in 
the process address Space. Gary and Moore [4] reference a 
"DBR_NO that is essentially a handle uSed within the memory 
Manager aS an index within the MMU_IMAGE to a particular MMU 
record. The base address of the MMU record indexed by DER_NO 
is then equivalent to the concept of DBR value used in 
Reitz’ work. The effect of this inconsiStency on the segment 
management implementation was minor and will bve further 


discussed later in this chapter. 


B. SEGMENT MANAGER MOLULE 
The. Segment Manager Module consists of six procedures 
representing the six extended instructions it provides. 


These are based on the design of Coleman [1]. Only calls 
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from external to the Kernel (via the Gate Keeper) may be 
made to the Segment Manager (per the loop-free structure of 
the SASS). The normal Sequence of invocation of the Segment 
Manager functions to allow referencing a segment is: (1) 
CREATE SEGMENT-~-allocate secondary storage for the segment 
and update the mentor segment’s Alias Table, (2)- 
MAKE KNOWN-~-add the segment to the process address space 
(segment number is assigned), (3) SWAP_IN--move the segment 
from secondary storage into the process’s main memory. The 
normal sequence of invocation to “undo the above is: (1) 
SWAP _OUT--move the segment from main memory to secondary 
storage, (2) TERMINATE--remove the segment from the 
process’s address space, (3) DELETE SEGMENT--deallocate 
secondary storage and remove the appropriate entry from the 
alias table of itS mentor Segment. The six Supervisor 
entries into the Segment Manager (viz., the six extended 
instructions) will be discussed individually below. The 
PLZ/SYS and PLZ/ASM listings for the Segment Manager are in 
appendices A and B. 
1. Create a Segment 

The function that createS a segment (i.e., adds a 
new segment to the SASS) is CREATE SEGMENT. This function 
validates the correctness of the Supervisor call by checking 
the parameters and making certain security checks. The 
distributed memory manager is then called to accomplish 


interprocess communication with the Memory Manager Process, 
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where segment creation is realized through secondary storage 
allocation and alias table updating. 

CREATE SEGMENT is passed aS arguments: GS 
Mentor Seg No--the segment number of the mentor segment of 
the segment to be created, (2) Entry_No--the desired entry 
number in the alias table of the mentor segment, (3) 
Class“=-the access class (label) of the segment to de 
created, and (4) Size--the desired size of the segment (in 
blocks of 256 bytes). The initial check is to verify that 
the desired size does not exceed the designed maximum 
segment size. If this check is satisfactory, a conversion of 
the Mentor Sez No to a KST index is necessary. This is 
because the Kernel segments use the first several segment 
numbers available but do not have entries in the KST. Thus 
if there were 14 Kernel segments and a system segment had 
Segment number 15, then its index in the KST would actually 
be 5 (i.e.,the Kernel segments would use numbers @-9, and 
this segment would be the sixth segment in the KST and its 
index would be 5). A call is then made to the procedure 
ITC_GET SEG PTR with the constant KST _SEG_NO passed as a 
parameter. This procedure will return a pointer to the base 
of this process” KST. This pointer is then the basis for 
addressing entries in the KST. The next check is to see if 
the mentor segment is known (viz., is in the address space 
of the process, and thus, in the KST). The key to 


determining if any segment is known is the mentor segment 
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entry (M_SEG_No) for that segment in the KST. If not known, 


this entry in the Segment’s KST record will be filled with 
the constant NULL SEG. The basis for checking to see if the 
Segment’s mentor segment iS known is the aliasing scheme 
implication that a mentor segment must be known odbefore a 
segment can te created. The process classification must next 


be Opvained from the Traffic Controller. The process 


Classification is checked to ensure that it is equal to the 


——s 


Classification of the mentor Segment since write access to 
its alias table is needed to create a segment. The NDS 


module“°s CLASS_EQ procedure iS called and returns a code of 


true or false. The last check is the compatibility check to 


ensure that the classification of the segment to be created 


is greater than or equal to the classification of the mentor 


segment. This is accomplished by calling the NDS Module’s 
CLASS GE procedure which returns a code of true or false. If 
any of these checks are unsatisfactory, an appropriate error 
code iS generated and the Segment Manager returns to its 
Calling point. If all checks are satisfactory, then a 
pointer to the mentor segment’s MM Handle array is derived 
(HPTR). Note that in the current memory manager design [4] 
the actual MM_Handle contents are a Unique_IE (a long word, 
viz., two words concatenated), and an Index No (index into 
the G_AST, a _ word); ones together these two fields are a 
total of three words. Since the Segment Manager does not 


interpret this handle, it is considered a three word array 
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at this level. For this reason, the entire uninterpreted 
MM Handle array will be passed by passing its pointer. This 
pointer and Entry_No, Size, and Class are then passed in a 
call to the distributed memory manager procedure 
MM_ CREATE ENTRY. This procedure, in turn, performs IPC with 
the memory manager process where segment creation ultimately 
is accomplished. A success code is returned in an [IPC 
message from the memory manager process via the distributed 
memory manager to the CREATE_SEGMENT procedure to indicate 
success or failure aS appropriate. This Success code is 
checked by the Segment Manager to ensure confinement would 
not be violated if it is returned to the calling process’ 
supervisor domain. Only after the success code has been 
Yeturned can the action of segment creation be considered 
Complete. Seement creation does not imply the ability toa 
'Teference that segment, MAKE KNOWN will accomplish that. 
eemebverete a Segment 

The function that deletes a segment (i.e., deletes a 
segment from SASS) is DELETE SEGMENT. Validation of 
parameters and security checks are performed here similar to 
(but fewer than) the CREATE SEGMENT checks. The distributed 
memory manager is then called to cause IPC with the memory 
Manager process, where segment deletion is realized through 
-~6secondary storage deallocation and alias tatle entry 
deletions. DELETE SEGMENT is passed as arguments: (1) 


Mentor Seg No and (2) Entry_No. Conversion of the 
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Mentor Seg No to a KST index is accomplished first. The 
pointer to the base of the KST is located and returned, as 
pefore. The mentor segment is checked to ensure it is known, 
again, by verifying that its own M_SEG_No (mentor Segment 
number) entry in the KST is not the NULL SEG. The process 
classification is obtained from the TC and checked (by a 
call to CLASS EQ) to ensure it is equal to the mentor 
Segment classification, since deleting an entry requires 
write access to the alias table. [f all checks are 
satisfactory, then the mentor Segment’s MM Handle pointer is 
derived. This pointer and the mentor segment alias tatle 
entry number are passed in acall to the distributed menory 
manager procedure MM_DELETE_ENTRY. It then performs IPC with 
the memory Manager process where Segment deletion is 
accomplished and a success code is returned as before. 
Oo. Make a Seement Known 

The function that makes a segment known (i.e., adds 
that segment to the process” address Space by assigning a 
segment number, updating the KST, and causing the memory 
Manager process to activate the segment (that is, add it 
to the AST )) is MAKE KNOWN. Making a segment known is the 
way the Supervisor declares its intention to use a Segment. 
MAKE KNOWN is passed as arguments: (1) Mentor _Seg_No, (2) 
Entry_No, and (3) Acess Desired (e.g., write, read, or 
null). It returns (1) a success code, (2) the access allowed 


to the segment, and (3) the segment number. Conversion of 
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mae mentor s@€ement number to a KST index, finding the KST 
Beiiter, and verifying that the mentor segment is known 
occur as previously discussed. 

There are three basic cases that may occur in 
MAKE KNOWN: (1) the segment iS already known (has an entry 
in the xXKST), (2) the segment is not known and there is a 
segment number available, or (3) the segment is not known 
and there is no segment number available. 

A search is made of the KST using each record’s 
(segment’s) M_SEG_No (mentor segment number) and 
Entry_Number fields as the search key. If these two fields 
mamen the input values Mentor_See_No and Entry_No, then the 
record indexed is that of the desired segment; thus the 
segment to be made known is already known. In this case, all 
that need be done is to return the success code, Segment 
number (converted from the index by adding to it the number 
of kernel segments), and the access allowed (equal to the 
Access Mode entry in the KST for the already known Segment). 

During the search of the KST, the M SEG _No field is 
also checked to see if it contains the NULL_SEG entry (this 
implies that the segment number associated with the Yrecord 
is available’). The first time this is noted, the index is 
saved. Note the first available index is saved since it is 
desired to assign segment numbers at the top of the KST to 
keep it dense there. When the search does not find that the 


Segment is already known, the index for the available 
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segment number is retrieved and converted to segment number 
by adding to it the number of kernel Segments. If this index 
is the NULL SEG entry, then there is no segment number 
available. In this event, the success code is set to 
NO _SEG_AVAIL, the segment number is assigned NULL_SEG, and 
access allowed is set to NULL_ACCESS (this is the third case 
mentioned). If the index is not equal to NULL_SEG and 
conversion to segment number has occurred then the Traffic 
Controller is called to provide the DBR_No (descriptor base 
register number) for the current process. The DER_No is used 
by the memory manager process as an index in the MMU_Image 


and the local AST. The distributed memory manager procedure 


MM Activate is calleds it is passed the TBR number, the 


a 


pointer to the mentor segment’s MM_Handle entry, the mentor 
Segment alias table Entry_No, and the -segment number. 
MM Activate performs the normal interface function (performs 
IPC with the memory manager process procedure thet updates 
the local and global AST’s) and also updates the KST entry 
for the new segment’Ss MM_Handle entry (returned from the 
memory manager process). It also returns to the Segment 
Manager the Success code, the Segment classification, and 
the segment size from the neon manager process. If the 
success code is “Succeeded then the issue of access to be 
granted must be resolved. The process classification is 
Obtained from the TC and passed with the segment 
classification to the NDS Module procedure CLASS Gh. If the 
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CONDITION CODE returned is FALSE then access allowed is 
NULL_ACCESS, the segment number a5 NULL_SEG, and 
MM_DEACTIVATE is called to deactivate the segment. An 
appropriate error code is returned. [If it iS greater than or 
equal then the access allowed is assigned as follows: (1) 
the two classifications are compared again-—-this time to see 
if equal; (2) If they are equal, then the access allowed is 
either read or write per the access desired; (3) if they are 
not equal (i.e., the process class is greater than the 
Segment class) then the access allowed is read. Finally the 
KST entries for that segment number (more accurately for its 
index in the KST) are filled with the appropriate 
information (e.g., IN CORE is false, etc.). If the success 
code returned from the memory Manager process via the 
distributed memory manager is not ‘succeeded’, then the 
segment number is set to NULL SEG and the access allowed is 
set to NULL_ACCESS. 
4. Make a Segment Unknown (Terminate) 

The function that makes a segment unknown (i.e., 
removes that segment from the process’ address space-—by 
updating the KST and causing the memory manager process to 
"deactivate the segment) is TERMIMATE. It results in 
removal of the M_SEG_No (mentor segment number) entry from 
that segment’s KST record. Terminate is passed the segment 
number of the segment to be terminated as an argument. It 


returns a success code. Conversion of the segment number to 
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a KST index, finding the KST pointer, and verifying that the 
segment is known occurs in the same manner as _ previously 
discussed. The next check iS to verify that the Segment is 
not still loaded in the process” virtual core (viz., it has 
been Swapped-out ). If not, an error code iS returned and 
the user must cause the Segment Manager extended instruction 
SM_SWAP_OUT to be executed. The next check iS to ensure that 
the user is not attempting to terminate a Kernel segment. 
The first Several Segment numbers in a process” address 
space will be used by Kernel procedures and data (though 
they will not be entries in the KST). Thus if there were i2 
Kernel segments, then the segment number to be terminated 
must be egreater than or equal to #12 (since the Kernel 
segments used #°s @-9). Thus a check is made to ensure that 
the segment number is not less than the number of Kernel 
segments; otherwise an error code is returned. Next, the 
Segment number is checked to enSure that it is not larger 
than the maximum segment number allowable (if so, an error 
code is returned). If all checks are satisfactory, then the 
segment’s MM Handle pointer and the process DBR_No are 
obtained (as discussed before) and passed in a call to the 
MM Deactivate procedure. It calls the memory manager process 
procedure DEACTIVATE which removes oor _ updates (as 


appropriate) the entries in the local and global AST’s. 
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S- Swap a Segment [n 


The function that Swaps a segment from secondary 
storage to main memory (global or local) is SM _SWAP_IN. It 
is passed the segment number of the segment to be swapped in 
aS an argument and returns a success code. convene x of? the 
segment number to a KET index, finding the KST pointer, and 
verifying that the segment number is kKnown are accomplished 
aS previously discussed. If the check is Satisfactory, then 
the segment’s MM Handle pointer and the process DBR number 
are obtained. They are passed with the segment’s access mode 
(from the KST) as arguments in the call to MM_SWAP_IN. It 
performs normal interface (IPC) functions and returns a 
success code from the memory manager process” SWAP_IN 
procedure (where, if not already in core, allocation of main 
memory space and reading the segment into main memory 
occurs). If the success code is ‘Succeeded then the 
segment ’s IN CORE entry in the KST is updated to show that 
the segment iS in main memory for this process (i.e., the 
entry is now true). 

6. Swap a Segment Out 

The function that swaps a segment from main memory 
to secondary storage is SM_SWAP_OUT. It is. passed the 
segment number of the segment to be swapped out as an 
argument and returns a success code. The tehavior of 
SM_SWAP_OUT iS exactly analogous to that of SM_SWAP_IN 


except that the segment’s KST IN CORE entry is updated to 


(2 


reflect that the Segment has been removed from main memory 


for this process (i.e., the new entry is “false'). 
C. NON=DISCRETIONARY SECURITY MODULE 


tae Non-Dirscretionary Security Module implements the 
non~-discretionary security policy for the SASS. The NDS 
module contains two procedures: CLASS EQ and CLASS GE; both 
compare two labels (classifications) and determine if their 
relationship meets that of the procedure’s name (i.e., 
equal, or greater than or equal). Although the type of 
checks being made are, in fact, compatibility checks, Simple 
Security Condition checks, etc, the NDS Module does not 
recognize or need to recognize this. It Simply uSesS an 
algorithm to determine if classification #1 = classification 
#2 or if classification #1 >= classification #2, as 
appropriate. It then returns a condition code of true or 
false in accordance with the particular case. The earlier 
Giscussion of label comparison in accordance with a 
partially ordered lattice Structure is relevant in 
discussing the NDS Module’s algorithm. Consider the same 
"totally ordered relationship TS >S >C»>U of levels and 
the “disjoint relationship cy | N | Nu |} % of categories. 
Comparison of levels will be numerical comparisons while 
comparison of categories will use set theory comparison as a 
basis. If TS=4, S=3, C=2, V=l are level numerical 


assignments, then the totally ordered relationship is 
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maintained (i-e., TS>S>C>U is still true). Now consider the 
categories and make the following asSienments: Cy=1, N=2, 
Nu=4, 4=0. Note that a classification may have only one 
level and one category set (the category set may contain 
several categories). Consider this example: (TS,{Cv,N}. The 
level is TS (=4). The category is the set {Cy,N} and 
numerically is formed ty performing a logical OR with the 
categories Cy and N. Sixteen bit representation of this is: 
Cy OR N 
(G2OG BOPP GGGS OGH1) OR (GGGOG 09S BGG OG12) 
= 0208 COGG e2ee O11 = {Cy,N} 
Ig (TS,{Cy,N}) is considered label #1 and (S,{N}) as label 
#2 then a comparison of the two labels would be: 
(1) Compare level #1 with level #2 -- 4 > 3? 

Clearly, the answer is yes. 
(2) Compare category #1 with category #2 -- is 

(@22S CLGS CHOGL CH11) a superset of 

(GQGG BOGG SGGE OG1G), or more clearly 

is the latter a subset of the former? 

The answer is yes, and one way to show that is true is 
by performing a logical OR of category #1 with category #2 
and comparing the result to category #1. If the result of 
the OR operation equals category #1 then category #1 1S a 
superset (not necessarily proper) of category #2. Since 
uSage of the term subset iS more frequent than that of 


Superset, this relationship will typically be stated as 


ue 





“category #2 iS a Subset of category #1. To illustrate the 
above: 
{Cy,N} OR {N} : 
(2222 BELO Eee 9211) OR (€@@2 @eGe Cees 2812) 
= 9909 9990 OOCG GY11 = category #1. 

This means that, in this example, that category #2 
is a subset (not necessarily proper) of category #1. Since 
level #1 > level #2 and category #2 subset category #1 then 


label #1 > label #2. Thus, a call to the CLASS_EQ procedure 


-with these two labels as the input classifications would 


Teturn a condition code of false while CLASS GE would return 


true. The decision to have the classifications as long word 


moe 6 bits) supports the requirement of some DoD 


specifications for eight levels and sixteen categories. This 


meee uses Sixteen bits for the level and sixteen bits for 
the category. Appendices © and F are the PLZ/SYS and PLZ/ASM 
listings for the NDS Module. 
1. Equal Classification Check 
The CLASS_EQ procedure performs comparison of two 
Classifications (labels) and returns a condition code of 
true if they are equal (an exact match of the two lone words 
bit per bit) or false if they are not. 
2. Greater or Equal Classification Check 
The CLASS_GE procedure performs comparison of two 
classifications (labels) and returns a condition code true 


if classification #1 is greater than or equal to 
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Classification #2 or a condition code of false otherwise. 
For classification #1 to be greater than or equal to 
classification #2, the following must be true: (1) level #1 
>= level #2 (determine this by Simple numerical comparison 
of values) and (2) category #2 subset category #1 (determine 
this by performing a logical OR with the categories and 
comparing the result to category #1 -- if they are equél 
then category #2 is a subset of category #1). 

Since PLZ/SYS allows passing only Simple types in 
calls, the labels were passed as long words (as opposed to 
each being word arrays of length two). An access class label 
is never Pee rineved outside the NDS Module. However, within 
the NDS Module it is necessary to address the 
classification’s components separately (viz., level and 
category). Thus, an “overlay of the logical view of the 
Classification was created. This overlay was a record of 
type ACCESS CLASS and it consisted of two fields: level -- 
16 bit integer and category ~~ 16 bit integer. <A pointer 
type CPTR was declared to be of type pointer to 
ACCESS CLASS. Two other pointers CLASS1_ PTR and CLASS2_ PIR 
Demeeeocceared to be of type CPTR and were set equal to the 
base address of CLASSI and CLASS2 respectively. This 
“overlay” of the record frame over the two classification 
labels passed as arguments allowed the desired component 


addressibility. 
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mapnermore, the non-discretionary policy enforced by SASS 
can be changed from the current DoD policy to another 
lattice policy by changing (only) the NDS Module. 
D. DISTRIBUTED MEMORY MANAGER MODULE 

The Distributed Memory Manager Module performs as an 
interface between the Segment Manager and the Memory Manager 
Process. As its name implies, it is distributed in the 
kernel domain of each Supervisor process. The key role 
performed in this module is to arrange and perform 
‘interprocess communication between its process (actually the 
VP) and the memory manager process (VP}. The module consists 
of eight procedures. Six of the procedures are called 
directly by Segment Manager procedures; they are 
MM CREATE ENTRY, MM DELETE ENTRY, MMoACTIVALE, 
MM DEACTIVATE, MM_SWAP_IN, and MM_SWAP_OUT. The other two 
procedures are ‘service’ procedures called by multiple 
procedures; they are: MM_GET DBR VALUE and PERFORM_IPC. The 
logic used in the first six procedures is somewhat uniform 
(except for MM_ ACTIVATE). Thus, the general logic will te 
explained (with MM CREATE ENTRY as an example) and it should 
suffice as a description for all (except MM_ACTIVATE) 
procedures. The service procedures will be described 
Separately. 
1. Description of Procedures 

Each procedure is invoked (and returns) on a one to 


one basis with a corresponding procedure in the Segment 
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Manager. For example, CREATE SEGMENT invokes MM CREATE ENTRY 
which signals the CREATE ENTRY procedure in the Memory 
Manager Process Module. Associated with each procedure is an 
IPC message frame to describe the unique format of the 


contents of the message to be signalled to the memory 


_manager process. Similarly, there must be a message “frame” 


for return messages from the memory manager process; this 
frame is the same for all but the MM_ACTIVATE procedure. 
Consider the message frame for MM _ CREATE ENTRY; it consists 
of: (1) a code to describe which function is to be performed 
(e.g., CREATE CODE indicates that the CREATE ENTRY procedure 
is the intended recipient of the message), (2) MM Handle (an 
array of three words), (3) Entry_No, (4) Size, and (5) 
Class. The message frame has a filler (in this case) of one 
byte to ensure that it is of length 16 bytes. The purpose of 


this frame is to provide an overlay onto the actual message 


array to be signalled and to facilitate loading the 


arguments into the message array. This is accomplisned by 
having a pointer of the type that points to the frame but hy 
Converting its address so that it actually points to the 


base of the message array. Consider these lines of PILZ/SYS 


P code: 


CE MSGPTR := CE PTR COM_MSGPTR 


CE MSGPTR .CREATE CODE := CREATE_ENTRY_CODE 


This code is putting a value into the structure pointed to 


by CE_MSGPTR at entry CREATE CODE. The key point is that the 
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frame of that structure is, in fact, CREATE MSG (as 
described before), but the physical location pointed to is 
the mesSage array. This is assured by having the pointer 
CE MSGPTR (which points to a structure of type CREATE MSG) 
Set eaual to a pointer (COM_MSGPTR) to the actual message 
array (COM_MSGBUF). This is accomplished by the feels eerie 
of code. The mesSage array itself is never directly 
referenced, but rather the message array that is overlayed 


by the message frame is filled in the format of the 


CREATE MSG frame. [In this example, the first two bytes of 


the message array now contain the value of the constant 
CREATE ENTRY CODE. The remainder of the message array is 
filled in the same manner (all procedures use the same 
notion of a frame, although the frames have different 
formats). The PERFORM_IPC (perform interprocess 


communication) procedure is called by all procedures at this 


point in their execution. The key is that the argument 


passed is the message array pointer not the pointer to the 
CREATE MSG record (after all it is only an overlay frame -- 
linguistically, it is only a type and is never declared as a 
Structure reauiring memory storage allocation). When 


PERFORM_IPC returns, the message array contains a return 


message. This mesSage consiSts of only a success code and 


“filler space in all cases but MM_ACTIVATE. Interpretation of 


the return mesSage is performed in the Same manner as 


loading the message array. The retrieved success code is 
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returned to the calling Segment Manager procedure. For 
MM_ACTIVATE, the return message must be interpreted and 
values for success code, segment size, and segment 
Classification retrieved and returned to the Segment Manager 
MAKE KNOWN procedure. The value for the MM Handle (called 
the G_AST Handle by the memory manager process) must be 
retrieved and entered in the KST record for this segment. 
2. Interprocess Communication 

The final arrangements and actual performance of IPC 
is completed by the internal procedure PERFORM_IPC. By 
locating the identity of the current physical processor 
(CPU) and using that identity to index into the 
MM_CPU_TABLE, the VP_ID of the current memory manager is 
resolved, so that the memory manager process dedicated to 
this physical processor is signalled. The call to K_LOCK is, 
in fact, a disguised call to the SPIN LOCK procedure (since 
K_LOCK calls SPIN _LOCE). K_LOCK represents an ultimate (as 
yet unimplemented) goal of a fernel locking (wait-lock) 
System. In any event, the G_AST lock must be set prior to 
Signalling the memory manager process. After SIGNAL has been 
called, a call is made to WAIT with the pointer to the 
message array aS the argument. The synchronization cycle 
‘that results is: (1) PERFORM_IPC calls the ITC procedure 
SIGNAL with the memory manager VP_ID and message array 
pointer as arguments; PERFORM_IPC then calls WAIT with the 


message array as the argument, (2) SIGNAL causes the message 


83 





/ 


array to be copied into the message queve (in the VPT) of 
the appropriate VP_ID, (3) ultimately, the signalled VP oe 
scheduled; it had previously called WAIT, passing a pointer 
to its own local message arrays the action of WAIT is to 
copy the message from the VPT to the signalled” process 
local mesSage array, there it is interpreted by the memory 


manager process main procedure and the appropriate procedure 


is called for action (e.g., CREATE_ENTRY), (4) when action 


mee «6CCOMpleted)«€6the)«€memory manager process fills its local 


mesSage array with the appropriate return message and calls 


SIGNAL with a pointer to the message and the original 


signalling process’s VP_ID as arguments, (5) SIGNAL causes 


= “ 


the memory manager process” message to be copied into the 


VPT message queve for the appropriate VP_ID, (6) that VP is 


eventually scheduled and through the action of WAIT has the 
return message copied from its message queue in the VPT to 
its local message array; WAIT then returns to PERFORM _IPC. 
The G_AST lock is unlocked and PERFORM_IPC returns to the 
appropriate distributed memory manager procedure. 

The last procedure in the distributed memory manager 
is MM GET DBR_VALUE. This procedure simply provides the 
service of translating a DBR_NO (DER number) into its 
appropriate DBR address. It is called by the TC_GETWORK 
procedure to allow it to call the ITC procedure SWAP_VDER 
(remember that presently the Inner Traffic Controller deals 


with the DER as the address of the appropriate MMU Tecord in 
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the MMU_IMAGE while the Traffic Controller uses DBR as a DBR 


number which indexes to the appropriate MMU record). 


BE. SUMMARY 


The implementation of segment management functions and a 
nou-discretionary security policy for the SASS has been 
presented in this chapter. The implementation of the Segment 
Manager Module, Non-Discretionary Security Module, and 
Distributed Memory Manager management demonstration was 
described. 

Chapter IV will presemt. the conclusions, lessons 
learned, and suggestions for future work derived from this 


thesis. 
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2 
NMI 
[LOAD SYNC.8 
ENTRY POINT 5000 
[LOAD DBR.8 
ENTRY POINT 8000 
[LOAD SYNC STACK.8 
ENTRY POINT 7000 
[LOAD SYNC DATA.8 
ENTRY POINT 9000 
™ {LOAD KST DATA.8 
ENTRY POINT 9300 
® (R R15 
R15 40A0 [71B4 
RPC 0O75E [560E 
— RFC 5040 [5000 
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Figure 15. Load Command Lines and Register Initialization 
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IV. CGONCLUSTONS AND FOLLOW ON WORK 


The implementation of segment management for. tke 
security kernel of a secure archival Storage SyStéem has been 
presented. The implementation was completed on Zilog’s Z289¢2 
Sixteen bit nonsegmented microprocessor. Segmentation 
hardware (Zilog’s Z&@120 Memory Manegement Unit) was not 
available, therefore it waS Simulated in software as 
descrited by Reitz [9]. The loop free modular construction 
used in the implementation facilitates ease of expansion or 
moat ication. 

A mnon-discretionary security policy was implemented 
uSing a partially ordered lattice structure as a basiS. 
mnrorcement was realized througn an algorithm that compared 
two labels and determined if their relationship was equal to- 
a desired relationship. Altnougn the Dob security 
classification system was represented, any non-discretionary 
Meeuricy policy that may be represented by a lattice 
meructure may Similarly be implemented. This implerentation 
nas shown that by having the non-discretionary sé€curity 
policy enforced in one module, changing to another policy 
requires changing only this one module. 

software engineering techniques used in previous work 
mpmesized the advantages of working with code that i¢ well 


Structured, well documented, and well organized. Despite 





being written in assembly language, Reitz’ implementation of 


multiprogramming and process management proved to he 


consistent aa Style, clarity and documentation. This 
enhanced tLe Gomstruction of a segment management 
demonstration which was built onto his Synchronization 
demonstration. Further, refinements made to nis code (not 
necessitated by any failures of his code) were relatively 
easily accomplished. 

While the segment management implementation appears to 
emer properly, it haS not been subjected to &@ formal test 
plan. Such a test plan should be develope? and implemented. 

[ietemeeremory Meanaser Frocess has Leen designed tut not 
implemented. Segment management implementation, provision 
Meee Geusinb2 more practical size messages, and the detailed 
design of the memory manager by Moore ane Gary [4], provide 
a sOund foundation for memory maneger implem@€ntetion. A 
framework of the mainline code needec is rrovided in tre 
memory manager module of the demonstration code in Appendix 
Mmeeerrior to this implementation, formal testing of the 
Segment managerent implementation herein and the monitor 


implemented by Reitz [9] should be completed. 
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APPENDIX A - SEGMENT MANA Pio le blo) aC 


SEGMENT MANAGER MODULE 
CONSTANT 
NULL_ACCzSS ee 
NULL SEG = ~1 
MAX NO XST_ENTRIZES = 2? !T0 3E DETERMINED! 
meee Sha SIZE =eeo UO Exe DeteeMiner! 
MAX SEG NO = ?? !T0 BS DETERMINED! 
oreo ec NO | = 2? 1T0 BE DETERMINED! 
NR_OF ESESS = (eto re DeTEoM INE. ! 
FALSE = g 
TRUE ae 
FAD ae 
WRITE =e 
f aeaeae a pueGros CODES semen Y 
SUCCEEDED ae 
MENTOR SEG NOT KNOWN := 22 
Migs OntSS NOT 80 := 33 
eco PATIELZ =e 
MevINT TOO LARGE ae 
vc og Ayer = 2G 
TGMENT NCT XNCWN = 26 
SEGMENT IN CORE = 29 ; 
KERNEL SEGMENT = 32 
INVALID SEGMENT NC oe 
NO_ACCESS PERMITTED OI 
LEAF SEG EXISTS = 1 
NO_LEAF EXISTS = 138 
pas DOES NOT EXIST := 23 
NOmeallD TO DELETE =e 
aes FULL alee 
Pest FULL aS 
LOCAL MEMORY FULL = iG 
GLOEAL MEMORY FULL aaa 
pcs TOR. FULL et 
PaOG@ectAss NOT GY SEG CLASS := 41 
TYPE E ARRAY ARRAY [ 3 WORT ] 
EST_REC RECORD [ MM 3ANDLE G ADPRAY 
Size WORD 
ACCESS MODE EYES 
ime ore Bie 
Canis LONG 


M SEG_NO SEORT INTFGIE 
ENTRY NUMBER SHORT INTEGER 


KST ARRAY [ MAX NO ZST ENTRIES EST REC ] 
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o~ 


KSTPTR ou 

ADDRESS WORD | 

SiG ARRAY ARRAY [MAX _SFEG SIZE BYTE] 
EXTERNAL 


CLASS EQ PROCEDURE 
RETURNS ( CONDITION CCDE BYTz , 


CLASS GE PROCEDURE 
RETURNS ( CONDITION CODE BYTE } 


MM_CREATS ENTRY PRCCEDURE 
| RETURNS ( SUCCESS_CODS 38YTEz } 


MM DELETE ENTRY PROCEDURE 
RETURNS . SUCCESS COT® BYTE | 


MM MAZE KNOWN PROCEDURE 
RetuRNNs ( SUCCESS CODE BYTE 
Criss LENG 
Ses WORD } 


MM TERMINATE PROCEDURE 
PemuaNs ( SJCCESS COD= FEYTE } 


MM SWAP_IN PROCEDURE 
RETURNS ( SUCCESS COD 3YTE ; 


MM SWAP OUT PRO 
i‘ 


; CTLURE 
PETIRNS Suecess COS BYTE } 


PUOCeGLASS PROCEDURS 


ee 
meunise < PROC CLASS LCNG ) 


TC GE 
K 


ITC _SEG PTR PROCEDUPE 


T 
TORNS ( SEGPTR “SEG ARRAY ) 


ee 
i 
% 
a 


a 
R 


MONITCR PROCETURE 
PHOSBS IMPLEMENTED AT ASSEMBLY LEVEL —- SIMPLY WILL 
CALL THE MONITOR AT ADDRESS 39598! 


INTERNAL 


~ 


HPTR Y AREAY 
KPTR EST™PTR 








é 
Jf as oe 
a 9 OT 


CREAT SEGMENT PECCESURE. INVCXED RY SUPEEVISOR 
* PROCEDURE VIA GATE ZEEPER. ENSURES CALL IS VALID * 
* EY CHECKING TCO SEE IF MENTOR SEGMENT KNOWK, IF a8 
3 SEGMENT SIZE IS TOO LARGE (DESIGNED MAX SIZE), IF ne 

Peso CLASSIFICATION ARE HQUAL,AND IF COMPATIRILITY * 


** MeeeUIHReMENTS MET. IF ALL CHECKS ARS SATISFACTORY - 
* eee ti) OASATE @NIFY IS CALLED FOR MEMORY MANAGER a5 
4 oer AgE ACTION. - 
le Ces eno, = ye 2 x gs) 2s 2,5 Dye ays ops 2a eye Spe Tye BPS Sym Sys Sym Spe BAe Bee Dye BAe Be BGS ONS Sys BR NS Be ee DES TNS US NS hs ate oe she ste ste ale ste ale she she she 7 
CREATE SEGMENT PROCZDURE ( MENTOR SEG NO SEORT INTEGER 
A= y NO SHORT INTEGER 
CLASS LONG 
Sa WORT } 
RETURNS ( SUCCESS COD? BYTE } 


pao NOTE: REENTRANT PROCEDURE weaves | 
! SAVE LOCAL VARIABLZS ON STACZ TC ZNSURE ZEENTRANT ! 
LOCAL «© SBG_ INDEX SEORT INTEGER 


IF SIZE > MAX_3EG_SIZE TEEN 
SUCCESS CODE := SEGMENT TOO LARGE 


ELS: 
M SEG_INDEX := MENTOR SEG NO - N&_OF KSEGS 
KPTR :=_ oon iC cashes EST Src NO } 
IF KPTR Mt. . nee M SEG. NC = NULL SEG Deak 

XNOWN 


Bog, CLASS z= TC GET PROC “CLASS 
SOiMmeEON CODE := CLASS @Q ( PROC CLASS, 
KPTR [M SEG _ INDEX] .CLASS) 
IF CONDITION CODE = FALS# THEN 
SUCeCUSSe CONE = ACCESS CLASS NOT FO 
ELSE 
CONDITION CODE := CLASS GE ( CLASS, 
XPTR’ {M SEG INDEX].CLASS } 


IF CONDITION CODE = FALSE THEN 
HUCGHOCmCOlm == NOT COMPATIELS 


ELSE 
HPTR := #KPTR [M_S=G_INDEX] .MM_ HANDLE 
SUCCESS CODY := MM CREATE ENTRY ( EPT?, 
Hien Sian, Ghaso ) 
CONFINEMENT CSECK (SUCCESS COD) 
FI 
FI 
mal 
Fi 
RETURN 


UND CREATE SEGMENT 





te ate ale ale ale ote ate ale ate ate ale ale ate ale ale sto als ales als ole ate ale alo als alaoalo ale als ale wcisate ale ale of Be ale ula ate ale ala cleats ale ata ale ots ole cf Var’ ' 
ale aie ala ale a e ateate ate ate ale ole ale ale ale sto ule ale ale ole ate ale alo als ala elo Ja als ale sla ats ale ale ote ale ote ale alsa ate ate ale ale ate ale s'2 ale ofe ale ale ate ate vie ale ate ale ale als at 
{3s Or 2% Oy? OY® OE or ey> Myr aye aye Oye Ae AS 28 ays ah os Fy MY MP OY® yr eye oy *y* ye "> > oy eg ~ oye > i ~~ #_* +> yr og +> 338 OEP Oe Myr oye “2 oy “7 #,y= oer oye > #y* Ce tad Pr 
s 


(%* DELETE_SEGMENT PROCEDURE. INVOKED 3Y SUPERVISOP * 
*  PRCCEDURE VIA TE® GATE KEEPER. CEECZS TO SEF IF * 
* MENTOR SEGMENT ZNOWN AND IF ACCESS CLASSIFICATICN * 

(* ARE ZQUAL. THEN CALLS MM_DELETE ENT2Y FOR MEMORY * 
* MANAGER ACTION. * 


ate ale se ate ole ale ste alae afte ate ate ate ste ats ale ale ate fa ate ale ale ale alo ates ole ale ate se als ste wale ale ole afte ate ate ofe Se ale ste .4e ale ale ale ate Seale ale ale ale ale ale fe ate cleo cle ale ate 
gh Te ye Fe AED Ae AES HS gh MUP EP OG™ MS —® PUP yd SL> 2d Pye 29% 2g 24> OED + yr a> OF #y> #9 ey> > a Fy> Hyr yr #5 Fye 24> Yr O—® FyP Sys Myr QD SpS SYS Fy Sy Oger Oy 


DPLETE SEGMENT PROCEDURE ( MENTCR_SEG_NC SECKT INTEGER 
ENTEY_ NO SEORT INTEGER} 
RETURNS ougenss CODE Byer 


4 RM NOTE:  REENTRANT PROCELURE = #eaeK 5 
1 SAVE LOCAL VARIABLES ON STACK TO ENSURE REENTRANT ! 


SeLOCAL M SFG_INDEX SEORT INTEG?R 
ENTRY 
mere INDEX <:= MENTOR SEG NO - NR OF_KSuGS | 
Pemee:— KSTPTR ITC_GFT_SEG_ PTR ( &ST_SEG_NC ; 
feeapth (M SEG INDEX] M_ SEG NO = NULL SEG THEN 
SUCCESS CODE := MENTOR SEG NOT KNOWN 
| ELS? 
Pm CLASS := TC GET PRCC CLASS 
GONDITION CODE := CLASS =Q { PROC_CLASS, 
| KPTR  (M_SEG_ INDEX] .CLASS j 
IF CONDITION CODE = FALSE TYEN 
Smieenos CODn = ACCESS CLASS NOT EO 
ELSE 
EPTR := #KPTR (M SEG INDEX] .MM HANDLE 
mEcensS CODE := MM DELZTE ENTRY \ HPTR, ENTRY NO ) 
CONFINEMENT CEECK (SUCCESS CCDE 
FI 
FI 
RETURN 
END DELETE SEGMENT 


oe ea Oe ae ae 
é 


4 


é ‘ 
te de 3b 4b ae 4 
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ale ate als ale ate ale ale ate ate ale ate ~'+ ate ale s‘¢ whe whe ale ate ole ale ate ale ale ale ate ale ale vte al 
*- oye 
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MAKE ZNCWN PROCEDURE. INVOXSED 2% SUPERVISOR 
PROCEDURE VIA GATE XEEPER. CHECKS TO SEE If 
MENTOR SEGMENT ENOWN. SZARCHES sST TO SFE IF 
SEGMENT ALHZADY KNCWN (WEILE ALSC NOTING TEF 
FIRST AVAILABLE (UNUSED) S8G #}. IF THE SEGMENT 
IS ALREADY KNOWN THEN FIVISEED. IF NOT, THEN, 
USING TBZ AVAILAELE SzG #, CALL MM ACTIVATE FCR 
MEMORY MANAGER ACTION. THEN C#ECK TO SB2 IF ANY 
ACCESS IS ALLOVED. IF YES THEN DETERMINE TEE 
APPROPRIATE ACCESS ALLOWED AND UPDAT? KST. IF 
NO, THEN RETURN NULL ACCESS. 


AE AE AE EAS HE BE IE AG ASRS AS OE AS ANS FE AS AE BIE AE IE AE SAS FARIS BIS AS 2S BIE IE OAS BIS AE SENS AS DISS BIS OIE AS AE AE DISS OIE OE IETS ASS BSA AE SIE F 
MAXS KNOWN PROCEDURE ( MENTOR_SEG_NO SPORT INTEGER 
ENTRY NO SHORT INTs so 
MGCESS DESIRED EYTEe ) 
RETURNS ( SEGMENT NO SEORKT INTEGER 
AGCESS ALLOWED 3YTS 
SuGGeEss CCnE EYTz ) 
meee NOTE: RaENTRANT PROCEDURE eas lo! 
Moers LOCAL VARITABLHS ON STACKZ TO ENSURE REENTRANT ! 


LOCAL 


AVAIL SEG SHORT INTEG?: 
INDEX SEORT INTEGER 
DER NO SEOnT INTIGER 
M SEG INDEX SHORT INTEGER 


ENTRY 


foec INDEX := ee er —- NR OF KS2GS 
meth := ASTPTR MPGeGse SeG eTR ( <ST o8C NO ) 
IF KPTR7(M SES INDEX] .M_SES_NO = NULL SEG TEEN 
maeewss | GOLR := MENTOR SEG_ NCT ENOWN 
SEGMENT NO := NULL SEG 
mecHSS ALLOWED := NULL _ACC=SS 
ELS= 
PROC CLASS := TC_GET_PROC_CLASS 
HPTR := #XPTR°(M SEG INDEX] .MM_ HANDLE 
INDEX 3= @ 
SEGMENT NO := NULL SEG 
AVAIL SEG := NULL SEG 


SEE _IF_ KNOWN: 
DO 
IF KPTR (INDSX] .M_SEG_NO = MENTOR_SEG_NO 
— , Ripe. |. ENTRY NeeBS R = ENT®Y NO THEN 


ICASE: SEGMENT ALREADY KNOWN! 
SUCCESS CODE s= SUCCEEDED 
SEGMENT NO := INDZX + NR_OF_KSEGS 
MOGI Soe L Ley SD := XOTR ~CINDEX] . ACCESS MOLE 
EXIT SEE IF KNOWN 


1¢¢ 


J ale ale ala als ale ate ate «' te We a! teats af ¢ ? 5 J § $ 
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PLSE a. 
IF <KPTR (INDEX].™_S ee NC = 
ANDIF AVAIL SEG = NULE SEG TEEN 
AVAIL SEG := INL?X > NR Om Kszcs 


Pel 

INDEX r= 1 

PPSINDEX > MAX NC_ AST =SNTRIES THEN BXIT FI 
al 
OD 


eax it SEE IF KNOWN ! 
IF SEGMENT NO = NULL_SEG 
ANDIF AVAIL SES <> NULL SEG THEN !CASE: SEGMENT NOT 
ENOWN AND SEG # IS AVAILAPLE! 
INDEX := AVAIL SEG - NP _OF XSEGS 
SEGMENT NO := AVAIL S2G 
DER NO := TC_GFT DBR_NO 
Suess, COLZ,KPTR [INDEX] .CLASS ,KPTH [INDEX].SIZE:= 
MM ACTIVATE(DBR_ NO eee NO,SEGMENT NO) 
CONFINEMENT CEFCK (SUCCESS CODE 
Pmeesuockss CODE = SUCOBEDZD THEN 
MOM ITUON, CODE := CLASS Gs ( PROC CLASS, 
Kom Lin roxl scLAss.) 
IF CONDITION CODE = FALSE THEN !NO ACCESS! 
NGEGHSS ALLOWED :="NULL. ACCESS 
SUCCESS COLE := MM DFACTIVATE (LER _NC,EPTR) 
CONFINEMENT CHECK (SUCCESS COD3) 
Scemes CORR == PROC GLASS NOT GE SEG CLASS 
SEGMENT NC := NULL SiG 
ELSE 
CONDITION CODE := CLASS 3G ( PROC CLASS, 


IF CONDITION CODE = TEUE 
PveteeACCRSS DESIRED = WRITS TEEN 
FeGtos ALLCN MD :=eahiTa 


ELS 
NGCHssuLOWwD) 2=—= RAD 
FI 
KOTR [INDEX] .IN_ CORE: := FALSE 
XPTR [INDEX] .M_SEG_VO := MENTOR SEG NO 
KPGR” {INDEX] .ENTRY NUMEER := ZNTRY_NC 
Boi MOuNO sk ACCESS ODS <= ACCESS ALLOWSL 
a 
RiSe 


SEGMENT NO := NULL SEG 
ACCESS ALLOWED := NULL_ACCHSS 
Fl 
ELSE 
SuceGhos CODe := NO SHG _ AVAIL 
SEGMENT NO := NULL_SEG 
ACCESS_ALLOWED := NULL ACCESS 
wt 
BL 
KETURN 
END MAdE KNOWN 


t— 
mS 
Cyr 


soe ae oe ae fo ale ale ale ate abe ate ale alo ale als ats ule wle ale 


ale ate whe ule a. ele ale ate ale ale ale whe ale wie ale ale ate ale ale aleate als ole ate at. ale ale s! 
ASAE AS AS AE TE SS AS DiS AE AE AE BE ASAE AS SS FS AS BAS AS BS AS I AS IE AS BIS BE TE BS AS AS TS TS BC OS TIS 2S BIS BIS IS OS BIS TS 24S BIS TNE ZI AS ole BIE OS 3S 


** TERMINATES PROCEDURE. INVOKED 3Y SUPERVISOR . 

* meecCebURr VIA GATE KeEPER. CEECKS TC SEE IF = 
la SEGMENT IS KNOWN AND IF SEGMENT NUMBER I5 

* meee. LF CaeCcS ARS SATISFACTORY THEN MM DEACTI- 

** VATE IS CALL£D FOR MEMCRY MANAGER ACTION. 


~ 


, ’ ’ te wt te 4 2 Snare 
BE AS 2S HS AS AAS BS AS AS AS FS EAE TS 2S SS AS BIS OES ER AS ES SS BE AS 24S OES TIS AS BES OE OS SS TUS IS ES SIS 2S YS BIE NS OS 


at 
& 
3v 
2 
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TERMINATE PROCEDURE ( SEGMENT NO SHCRT_INTEGER ) 
RBLURNS ( SUCCESS_CODE BYTE ) a 


ie SH NOTH: REENTRANT PROCEDURE a Niraaaap | 
Boe e LOCA] VARIASLES ON STACK TCO ENSURE REENTRANT ! 





EOCAL INDEX SEORT INTEGER 
DER NC SEOaT_ INTEGER 
ENTRY 
PNee@k := SEGMENT NO - NR OF KXSEGS 
Meee KSTPTR ITC_GET SEG PTR , KSI SEG_NO , 
IF KPTR [INDEX].M_SEG_NO = NULL _SEG THEN 
emcunsS CODE s= SEGMENT NOT KNOWN 
ASL 
IF XPTR  [INDEX].IN CORE =TRUZ TEEN 
secorsS CODE := SEGMENT IN CORE 
aes by | 
IF SEGMENT NO < NR_OF XSEGS 
SUGORSS=CODE := KE2NEL SHEMENT 
ELSE 
IF SEGMENT NO > MAX SEG _NO THEN 
Sicguss CapE := can SEGMENT NO 
Se 
HPTR := #KPTR [INDEX].MM ZANDLE 
DBR NO := TC_GET DBR_NO 
SCOrmSe COPE == Ur DEACTIVAT® (LER NC,EPTS) 
CONFINEMENT CHECK (SUCCESS COD) 
~ IF SUCCESS CODES = SYCCHEDED TEEN 
KPTn [INDEX] .M_SEG_NO := NULL 
FI 
FI 
FI 


| —- RETURN 
END TERMINATE 
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. Po ASAE AE HE IE EE AE AE AE AE AAS BIS BAS ASE AS ANE SE ANE BI AE IE AE SE AE AE SEAT BIS AS AE TIE AE EAE BS ENE AE IE AE BIE AE BE AS TE GS IS IS IE HE OE ES SIE 2 
| 3 
4 oM_SWA?P_IN PROCEDURE. INVOKED BY SUPERVISOR i. 
Fe moe eee Kewee se. CorCKS TO SEP IF 
| SGMENT KNOWN; I? YES THEN CALLS MM_SWAP_IN FOR 
e MaMORY MANAGER ACTION. " 
yt a 
~ “et 
SHS BS HE AS DYE BS SHS AS HE TS SAS BE YS AAS IS BS TS HS IE DIE BS AE AAS BYE BES Be BEE SE BE TE AS HS BE AE TS HS AE AS HK DS BE DE 3S SSIS BE AS HE BYE AE AS HE ! 


| SM SWAP_IN PROCEDURE ( SEGMENT_NO SHORT _INTIGER ) 
RETURNS ( SUCCESS CODE EYTE } 


en oie NOTE : HENTRANT PROCEDURES secre 
! SAVE LOCAL VARIABLES ON STACK TO BNSURE RSENTRANT ! 


iO CAL INDEX SEORT INTEGER 
DBR_NO SHOKT INTEGER 
ENTRY 
epee = SEGMENT NO - NE _OF KSEGS 
Meme >= KSTPTR ITC_GET_SEG_PTR ( KST_SEG_NU ) 
IF PTR [INDEX] .M_SEG_NO = NULL SFG TEEN 
muccEsS CODs = amar NOT XNOWN 
ZLSE 
feomerin [INDEX] .IN CORE = TRUS TEEN 
SWCGESS CODE := SUCCEEDED 


ELSE _ | 
HPTR = #KPTROCINDEX] .MM_ EANDL2 
DBR_NO := TC_GET DER_NO 


SUCCESS CODE 2= MM SW? IN { SPTR, DBReNO, 
KPTR~ [INDEX] “ACCESS. MODE } 
CONFINEMENT CHECK (SUCCESS CODE} 
moc Cetos CODE = SUCCESDED TEEN 
KPTHR [IND=X] .IN CCRE := TRUE 
a 
FI 
FI 
RETUPN 
END SM SWAP_IN 


Heat 
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Suieowece JUL PROCEDURE. INVOKED BY SUPERVISOR “ 
PROCZDURE VIA THE GATE KEEPER. CEsCaS TO SEE IF 2 
SEGMENT KNOWN; IF YES TEEN MM SWAP OUT IS CALLED = 
FOR MEMORY MANAGER ACTION. S 
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ale 
~~ 
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'SM_SWAP_OUT PROCEDURE ( SEGMENT NO  SHOKT_INTRGER ) 
RETURNS ( SUCCESS CODE 3YTE } 


| a NOTE: REENTRANT PROCEDURE IEA 
| ! SAVE LOCAL VARIABLES ON STACK TO ENSURE RESNTRANT ! 
mLCCAL GhDEX SEQaT_INTEGER 
DBR_NO SEORkT_INTEGER 
ENTRY 
INDEX := SEGMENT NO - NR OF KSEG 
Meth := XSTPTR ITC_GET SEG PTR 
Ir KPTR [INDEX] .M_SzEG NO = NULL. 
eecrss CODE  := SEGMENT NOT : 
ELSE 
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APPENDIX C 


DIST MMGR MODULE 


BONSTANT 


CHEAT2 ENTRY COLE 
DELETE ENTRY CODE 
ACTIVATS S&kG CODE 
Sie GG 
OWAP_IN exe CODE 
SWAP_ OUT SEG CODE 
NO OF PROCESSORS 
MAX NO. KST_ ENTRIZS 


DEACTIVAT? 


MAX SEG SIZE 
MAX DER_ NO 
NR_OF_XSEGS 
KST SEG_NO 
H AREAY 


COM MSG 


DELETE MSG 


ACTIVATE MSG 


DEACTIVATE MSG 


eels I PUTED MEMCRY 


|| 
Oi 
}— 


lou np ub tb dead wea 


ARRAY [3 WCRD] 


ARRAY [1E€ 3YTE] 
RECORD [CREAT? COD 
Cz MM HANDLE 
CE ENTRY_NO 
Coen aR 
CE SIZE 
Cz CLASS 


RECCRD [DFLET! CODE 
DE MM HANDLE 
DE ENTRY vO 
DE FILLER 


A DBR NO 

A -FILLER1 
A_MM_ZANDLE 
Pee a Y NO 
AL SEGMENT. NO 
A _FILLER2 


Paeniv ATs 
D DER_NO 

D FILLFR1 
D MM SANDLE 
Ue FILLiR2 


RECORD 


Id 


MANAGER PLZ/sSYS LISTINGS 


WORT 

Sever Ay 
SEORT_ INTEGaR 
PYTR 

WORD 

LONG) 


WCRD 
H ARRAY 
SHORT INTEGER 
ARRAY L? FYTE]] 


RECORD [ACTIVATE COD WORD 


SHORT INTEGER 
EYTE 

H ARRAY 

SEORT INTEGER 
SECKT INTEGER 
LONG] 


CODE WORD 


SEORD INTPGER 
BYTE 
H ARRAY 


ARRAY (2 WCRD]] 





SWAP IN MSG RECORD [SWAP_IN CODE WORD 
SI_MM_ HANDLE E_ARRAY 
SI_DBR_NO SHORT _INTEGER 
Sle A GGeso ALTE BYTE 
Sf lier ARs WORD | | 


SWAP OUT_MSG RECORD [SWAP_OUT CODE WORD 
SO DBR_NO SHORT INTEGER 
SO FILLER1 PY 1 
SO MM_HANDLE # AREAY 
SO FILLER2 . ARRAY[3 WORD] ] 


meouC CODE RECORD [SUC_CODE pals 
SiGe CULE Sen Poe Sir & | 
] 
R_ACTIVATE ARG wkzZCORD [R SUC_CODE BYTE 
R_FILLER BYTE 
R MM HANDLE  £E ARRAY 
R.CiAsS LONG 
R_SIZE WORT] 
Cz PTR “CREATE _MSG 
[TE PTR “DELETE MSG 
A PTR PAGER ATE MSC 
D PTR “DEACTIVATE MSG 
SI_PTR “SWAP_IN_MSG 
SO_PTR , “SWAP OUT MSG 
SC PTR PRESUC.C.ODn 
ARG PTR “R ACTIVATE ARG 
KST REC RECORD [ MM HANDLE a ARRAY 
SIZE WORD 
ACCESS MODE LYTE 
IN CORE BYTE 
CEASs LONG 
M SEG_NC SHORT INTEGER 


ENTRY NUMBER SHORT INTEGER ] 


EST ARRAY [ MAX NO &ST ENTRIES XKST REC ] 


noe 


KSTPTR om 


ADDRESS WORD 
SEG DESC REG RECCRD [EASE AITDR ALDRESS 
ete BYTE 
Lenin. Sys 
MMU RECORD [SDR ARRAY [NC SEG DESC REG 
SHG Dasc REG | 
BLKS USED WORD 
MAX BIKS WORD] 
MM_VP_ID WORD 
SEG ARRAY ARNE SEG SLZE BYTE] 
SFEGPTR “SEG ARRAY 
INTERNAL 
MM CPU TABLE ARRAY [NO OF PROCESSO®S MM YP_ID] 
EXTERNAL 
MMU_IMAGE ARRAY [MAX _DBR_NO MMU] 
ees? LOCK Rue 
ke LOCK PROCEDURE 
K_ UNLOCK PROCEDURE 


ITC GET CPU_NO PROCEDURE 
SIGNAL PROCEDURE 
WAIT PROCEDURE 
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ray, CREAT _ ENTRY PROCEDURE. INVOKED 3Y SEGMENT 

a MANAGER’S CREATE SEGMENT PROCEDURE. PERFORMS TYPE 
4 CONVERSION OF POINTERS, LOADS MESSAGE ARRAY FOR 

- eo, AND PERFCRMS IPC WITH MEMORY MANAGSER PROCESS. 
7% RETURNS SUCCESS CODE. 


MEDS HENS AE ISS ENE AE BSE AS SAE AE OS SIS OS IS BE ANS AS AS AAS SS SAS AS EAS ANS IE AE SIC AS YE AE AS AE AIS AE OE IS AE BIS AS ANE OOK IS AS AE OE OS OS | 
MM_ CREATE ENTRY PROCEDURE ( dPTR “H ARRAY 
ENTRY_NO SHORT INTEGER 
SIZE WORD 
CLASS LONG ) 
RETURNS (MsUCCrsSCOnE BYTE ) 
P «ea: NOTE: REENTRANT PRCCELURE Mea 
! SAVE LOCAL VARIABLES ON STACK TO ENSURE REENTEANT ! 


LOCAL Cz _MSGPTR CE PTR 
COM_MSGBUF COM_MSG 
COM MSGPT2 “COM MSG 
SUC_CODE PTR SC_PTR 


UNTRY 
COM MSGPTR := #COM MSG3UF 
! TYPE CONVERT TO OVERLAY ARGUMENT LIST CNTC MSG LIST ! 
CE MSGPTR := CE PTE COM_MSGPTR 
! LOAD ARG LIST ONTO MSG ARRAY ! 
CE_MSGPTR~.CRFATP CODE := CREATE _FNTRY COLE 


E MSGPTR™ -CE_MM_RANDLE [3] = HPTR [2] ” 
CE MSGPTR .CE MM_HANDLE([1] := HPTR [1] 
CE_MSGPTR” .CE_M™ “ EANDLE (2) 2= EPTR [2] 


CE_MSGPTR .CE_ENTRY_NO := ENTRY_NO 

MeeMSGPTR .CE CLASS := CLASS 

SeemoGPTR .Ck SIZE := SIZE 

PERFORM_IPC (COM_MSGPTR) 

t TYPE CONVERT TO OVERLAY MSG ARRAY ONTO RET ARG LIST ! 
SUC_CODE PTR := SC_PTR COM_MSGPTR 

Pmecsss CODE := SUC_CODE PTR .SUC_ CODE 

RETURN 

END MM_CREATE ENTRY 
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ate ale ate ale ste ate ale ale ale ale ale ale ale whe ale ate ale ale ale ale ale ale ale ale ales 
aye A APH 


ale ale ate ale ale ale aly ale ste ale s‘¢ ale ale ale ste ale ale ales le ale ale ale ale ale ale ale ale ale ale ate ate ale ale ale « io . 
“ Sym gr Ope OF? OEP MP MP MY gh ge See Myr oye Hype HyX “> “~~ “ \* “~~ oo “i? ror “> “Pr ee PUP Sgr Myr Ogr Em o gr Cyr CP® “ye MY wy? 74> “> *\> Hy MP Oy™ ME MI 95 yr yy oe 
MM DS L E I i : ; 4 e E 


CONVERSION OF PCINTERS, LCADS MESSAGE ARRAY FOR 
IPC, AND PERFORMS IPC WITZ MEMORY MANAGER PROCESS. 
RETURNS SUCCESS CODz. 


! 
MANAGER “S DELETE SZGMENT PROCEDUPS. SR FoRts TYPE 


Beeps eave 2s HEREC FES HE DE He BE AC AE AE 2 OE EAE 2 EAE AS SOR AS AE AS TIE DIS TIE TIS HS TIE TE YS OS HS SHR SE OE TS RAK AE AS OS AS OAS OE 
MM DELETE ENTRY PROCEDURE ( HPTR “H ARRAY 
| TINTRY NO SHORT INTE 
RETURNS ( SUCCESS CODE 2BYTE ) 


meee NOTE: REENTRANT PROCEDURE eieaat 
! SAVE LOCAL VARIABLES ON STACK TO ENSURE. REENTRANT ! 


LOCAL Bietiog.s LR a 


COM_MSGEUE COM _MSG 
COM MSGPTR ~COM_MSG 
SUC_CODE PTR SC_PTR 


ENTRY 


COM MSGPTR := #COM MSGRBUF 


! TYPE CONVERSION TO OVSRLAY ARG LIST ONTO MSS ARRAY 


Di MSGPTR := [DF PTR COM MSGPTER 
! LOAD ARG LIST ONTO MSG ARRAY ! 

DE_MSGPTR .DSLE CODE := DELET£ ZNTRY_CODE 
DE_MSGPTR” .DR_ ve FANDLE[@] := EPTR [¢] 
DE_MSGPTR”.DE_MM_HANDLE(1] := IPTR™ [1] 

D= MSGPTR” .D= MM HANDLE[2] := 4PTR [2] 

DE MSGPTR”.DE ENTRY_NO := ENTEY_NO 

PERFORM IPC (COM_MSGPTE) 


! TYPE CONVERT TO OVERLAY MSG ARRAY ONTO ARG LIST ! 


SUC_CODE_PTR := SC_PTR COM MSGPTR 
SUCCESS CODE := SUC_CODE_PTR” .SUC_CODE 
RETURN 

END MM DELETE ENT2Y 
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! Bete ope ys ym Bye Dye Sys AAs MS My Bys ogs Spe Hye Bge ae Dye ye Spe Me Byw Dye Dye Bye DS DoS TUS NS Bye Bye TNS BS SEs Sys HS YS BES BSS Oye BER Be Bye Ope YS Bye yO Mae AES YO ONS Mae SONS AOS 
** MM_ACTIVATE PROCEDURE. INVOKED BY SEGMENT MANA- x 
i GER°S MAKE SNOWN PROCEDUR?. PERFORMS TYPE CONVE2SION * 
- OF POINTERS, LOADS MESS AGS ew FOR PC AND UP- as 
o DATES MM HANDLE ENTRY IN XST AFTER PERFORMING THE 
i. Meee RETURNS SUCCESS CCL, CLASS, AND SIZE. ns 
sae 3 Ae ae BE BE a of aE Be IE IE fe NE BEE BE fe IE Me aE ae aN 2 2 EAE OIE A EAE CA BE CA NE SIAN EE AC aK SIE 2 a STC EAE 

‘MM ACTIVATE PROCEDURE ( DER_NO SHOnT_INTEGER 

eee “H ARRAY 

ENTRY NO SHORT INTEGER 

SEGMENT _ NC SHORT INTEGER , 
RETUPNS ( SUCCESS CODE BYTE 

eA 5 LONG 

SIZE WORD ) 


Baer NOTE: EEENTRANT PROCEDURE pice cee) 
1 SAVE LOCAL VARIA3LES ON STACK TO ENSURE REENTRANT ! 


LCCAL A MSGPTR A PTR 
COM MSGBUF COM MSG 
COM_MSGPTR ~COM MSG 
RET ARGPTR ARGPTR 
KPTR XSTPTR 
INDEX SHORT INTEGER 
ENTRY 
COM_MSGPTR := #COM MSGBUF 
! TYPE CONVERT TO OVERLAY ARG LIST ONTO MSG ARRAY ! 
A MSGPTR := A PTR COM _MSGPTR 
! LOAD ARG LIST ONTO MSG ARRAY ! 
AL MSGPTR- ACTIVATE CODE := ACTIVATE SEG CODS 
A MSGPTR” .A_LBR_NO := DBR_NC 
A MSGPTR .A_MM_SANDLE[@] := HPTR™ [Z] 
A _MSGPTR” .A_MM -HANDLE[1] := BPTR7[1] 
MMoGrTR .A MM BANDLE(2] := EPTR™ [2] 
AL MeeeTR A ENTRY NO := ENTRY NO 
A MSGPTR” .A SEGMENT NO := SEGMENT NO 
PERFORM IPC. COO MSGPTR) 
! TYPE CONVERT TO OVERLAY MSG ARRAY ONTO RET ARG LIST ! 
RET_ARGPTR := ARG_PTR COM MSGPTR ~ 
SUCCESS CODE := RET ARGPTR’ .R SUC_CODF 
CLASS := RET ARGPTR- SPeGuASS 
SIZE := RET_ARGPTR”~.R SIZE 
INDEX := SEGMENT NO -— NR OCF _KSEGS 
! RETRIEVE HANDLE AND UPDATE K3ST ! 
KPTR := KSTPTR MM_GET_KSEG_PTR ( SEG_NO ) 
EPTR := #KPTR™ [INDEX] . ie HANDLE 
ZPTR “[3] := RET ARGPTR .R_MM ZANDLE[@] 
HPTR et := RET. ARGPTR” .R MM HAND L# [1] 
EPTR [2] := RET ARGPTR.R_MM BANDL=Z([2} 
RETURN 
END MM ACTIVATE 





PIE AAS AIS BS NS DK AS AE BIS SS BIS BIS TE OI BIS BIS BIS AS BIS AS AE AS BS AS AAS AE AS BAS OS 24S FE TIE BS OS OS OS AIS HE TIS IE IE AS PE NE SI AE AS BK ISAS AS 2S IS AE AE 2 3 OS 
*  MM_DEACTIVATE PROCEDURE. INVOKED 3Y SEG MGR’S 
*  DRACTIVATE PROCEDURE. PERFCRMS TYPE CONVERSION “8 
* OF POINTERS, LOADS MESSAGE ARRAY FOR IPC, AND PER- * 
* FORMS IPC. RETURNS SUCCZSS_CODE. : 
eves see eaten ak BS HE AS BE AS EAS AE TE TE AE SE EAS BEE AS AS BE AS AS ANE AS DE ESS IS BE FE ISAS ASAE HE AE SILAS EE AE AS IS AE TS | 
MM DEACTIVATE PROCEDURE ( D3R_NO _SHORT_INTEGER 

HPTR H ARRAY ) 

RETURNS ( SUCCESS_CODE 3YT# ) 


meee NOTE: REENTRANT PROCEDURE sores 
f SAVE LOCAL VARIABLES ON STACK TO ENSURE REENTRANT ! 


(LOCAL D_MSGPTR OD PTR 

COM_MSGEUF COM_MSG 
COM MSGPTR ~COM_MSG 
Ewe CODE PTR SC PTR 


aNTay 

COM_MSGPTR := #COM MSGRUF 

! TYPE CONVERT TO OVERLAY ARG LIST ONTO MSG ARRAY ! 
(evecetR := D PIR COM _MSGPTR 

f LOAD ARG LIST ONTO MSG ARRAY ! 

D_ MSGPTR™ ~DEACTIVATE CODE := DEACTIVATE SEG CODE 


D_ MSGPTR™ =D DER NO := DER NO 


D_MSGPTR” .D_ _MM_HANDLE([2] := Ue ok 
D_ MSGPTR_ .D MM BANDLE[1] := HPTR [1] 
D MSGPTR” .D MM HANDLE(2] := EPTR™ [2] 


PERFORM IPC (COM_ MSGPTR) 
! TYPE CONVERT TO OVERLAY MSG ARRAY ONTO RET ARG LIST ! 
SUC CODE PTR := SC_ PTR COM MSGPTR 
SUCCESS _CODE $= SUC. _CODE | PTR UC CODE 
RETURN 
END MM _DEACTIVATE 
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! 

* MM_SWAP_IN PROCEDURE. INVOKED 3Y SEGMENT MANAGER’S 
‘ SM SWAP IN PROCFLURE. PEXFCRMS TYPE CONVERSION OF * 
x 


: POINTERS, LOADS MESSAGE ARRAY FOR IPC, AND PERFCRMS 
a WG. RETURNS SUCCESS CODE. 
Stes x SE HE AE SHE BE AS NE ME TAS IE TIE OS BE BIS OK AS BIS OS OIE AS DE BE AE BS AE BS AS BS BIL NS BS BS TIS YE IS BEE BS NS EAE OS OK ISS OK ATE 
MM SWAP IN PROCEDURE ( DBR_NO SHORT INTEGER 
KPTR EK ARRAY 
ACCESS MOLE BYTE ) 
RETURNS O SIGCOMSS (eC wick) 


p RMR NOTE: REENTRANT PROCEDURE reseneae 

/ {1 SAVE LOCAL VARIABLES ON STACK TO ENSURE REENTRANT ! 
LOCAL SI_MSGPTR SI_ PTR 

COM_MSGBUF COM MSG 

COM _MSGPTR ~COM_MSG 

SUC_CODE PTR SC_PTR 


ENTRY 
BOMeMSGPTR := #COM MSGBUF 
{ TYPE CONVERT TO CVERLAY ARG LIST ONTO MSG ARRAY ! 
Sameecrme s= sl PTR COM MSGPTR 
! LOAD ARG LIST ONTO MSG ARRAY ! 
SIIMSGPTR .SWAP_IN CODE := SWAP_IN SEG CODE 
SI_MSGPTR’.SI_MM_EANDLE[2] := HPTR “(a)” 
SI_MSGPTR7 SI MM RANDLE [1] ‘= per [4] 
Bl MscPTR .SI MM_EANDLEL2] := EPTR? [2] 
SI_MSGPTR .SI_DBR_NO := DZBR_NO 
SI_MSGPTR~.SI ACCESS AUTH := ACCESS MODZ 
PERFORM_IPC (COM _MSGPTR) 
! TYPE CONVERT TO OVERLAY MSG ARRAY ONTO EFT ARG LIST ! 
SUC_CODE PTR SC_PTR COM_MSGPTR 
emccssSS CCDE SUC_CODE PTR” .SUC_CODZ 
RETURN 
END MM_SWAP_IN 


WoW 
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* MM_SWAP_OUT PROCEDURE. INVCKED BY SEGMENT MANAGER'S * 


a SM SWAP OUT PROCEDURE. PERFORMS TYPs CONVERSION OF 
ok POINTERS, LOADS MESSAGE ARRAY FOR IPC, AND PERFCRMS * 
* IPC. RETURNS SUCCESS CODE. *% 
= SBS HE BE 2S BS BIE AS SIS BEE IE SIE BIS BIS IE AYE AAC SIS AYE AAS NS BIS BS NS BIS FS OE OS BIE AIS IS AS SE SIS IS TAS IE BIS AS BIE OIE AAT TIE IS AE SIE AS AS AE OS OE OE SSIS | 
MM SWAP OUT PROCEDURE ( HPTR “AH AREAY 
Neorss MODH = BYTE ) 
RETURNS @eseeerss COD e EYTs —) 


Zeros NOTE: REENTRANT PROCEDURE pac eacee |! 
SAVE LOCAL VARIABLES ON STACK TO ENSURE REENTRANT ! 


LOCAL SO_MSGPTR SO PTR 
COM_MSGBUF COM MSc 
COM MSGPIR ~CCM MSG 
SUiee CODE PTR Sic_PTR 


ENTRY 
COM MSGPTR := #COM MSGEUF 
meer: CONVERT TO OVEPLAY ARG LIST ONTO MSG AzRAY ! 
SO MSGPTR := SO PTR COM MSGPTR 
Demo AD ARG Li ST CNTO MSG ARRAY ! 
pO. MSGPTR OWAP OUT CODE := SWAP _OU JT SEG CODE 


510 MSGPTR~.SO MM EANDLE(2] := HPTR [yz] 
scm MSGPTR” SO MM HANDLE(1] := EPTR [1] 
SO_MSGPTR .SO_MM_HANDLE[2] := HPTR™ [2] 
SO MSGPTR~.SO_DBR_NO := DBR_NO 


PERFCHM_IPC’ (COM MSGPTE) 
! TYPE CONVERT TO OVERLAY MSG ARRAY ONTO RET ARG LIST ! 
SUC_CODE_PTR := SC_PTR COM_MSGPTR 
SUCCESS CODE := SUC_CCBE PIR” .SUC_CODE 
RETURN 
END MM SWAP OUT 
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8s wale Je a! ¢ Yo ale ale ale ate aly ale ata ale ate ale ale ates ale ale ale ale x ale ate «le a! 
oe 


Mists 246 S75 3y5 54S 24S HS BS BE SPE BES Bp Bhs BIR OAS 3S FS NS BS ByS 3yS OES US NS YS HE IS SHS AS TS TIE OHS OES BS TS TNS NE NE TIS 
** MM _GeT DBk_VALUZ. SeHRVICE ROUTINE TEAT RETRIEVES 
x THE DBR VALUE (IE ADDRESS) BASED JPON A D3R_NO. 


HEAL BS AE AE BE NE AE AE AAS BE AE AE ASAE EE HE IS AE BSS BE A BE SES AE AE TI NE AE FS AE AS OS 3h THE EE A AS FS ES BS IS BIS BE TE OE TE FS BIS AS ES NS ES 
MM GET D3R_VALUE PROCSIURE (DBR_NO SHORT INTEGER) 
RETURNS (LER VALUE ADDRESS, 
more NOTE: EBSNTEANT PROCEDURG uccee! 
P SAYE LOCAL VARIASLES ON STACK TO ENSURE REENTRANT ! 
ENTRY 
DBR VALUE := #MMU_IMAGE [D3R_NO] 
RETURN 
END MM_GET_DBR_VALUS 
PRES AE AS SEE AS AS AE AS AE TE GSS 2S AS IE BS SS AS BE 2H BIS IE ANE TE IS AS BI 2S BIS HS AS 29S 2S IE IE OS ASAE A IS OS ANE AIS 2S YS AE BIS BIS AE AE 2S OE OE AE 2S 
we ate 
8 PERFORM IPC PROCEDURE. INVOKED BY DISTRIBUTED 


x MEMORY MANAGER PROCEDURES. DETERMINES CURRENT re 
*e MEMORY MANAGER “S VP_ID, LOCXS G AST, PERFORMS * 
*8 IPC VIA SIGNAL AND WAIT PRIMITIVES, AND GNLOCKS 
“8 THE G AST. 


ale ale ate ate ale ale ale ate ale ale we ale ate vle Seo ole ale ale ale ole ate ate ale ale ate ate ate ate ate ats ale ale ale ale ala ale ate ale w'e st ss Sse 3 le whe ate ale a Par 
GP Aye SYD 4s SG yd Sys SYR FYE Fgh Spe Se Fe SYD Fgh SED yD Spe HGS Fy 29% SFY Gyr SyP O gd Ge Aye Myr OGD MH pr Ogre Gr TES SYS 24m 24d HGS BAe Oye 24% 25 38 4 ped sss os Oh Oye 2 yh gs Fgs 2g Oye O4™ HS 
® 


PERFORM IPC PROCSTURE eeCy NSCPiR ecw MSs) 


meres NOTE: KEENTFANT PROCEDURE nee 
BeoaAVE LOCAL VARIABLES ON STACK TO Z@NSURE REENTRANT ! 


LOCAL MMGR_VP_ID 


ENTRY 7 
! DETERMINE MMGR VP ID ! 
feoeNe s= ITC GPT CPU_NO 
MMGR VP ID := MM_CPU_TARLE [CPU_NO] 
Papeoca (#G AST LOCK) 
! IPC WITH MEMORY MANAGER PROCZSS ! 
SIGNAL ( COM_MSGPTR, MMGR_YP_ID ) 
WAIT ( COM MSGPTR ) 
K UNLOCK (#G_AST_LOCK ) 
RETURN 
END PERFORM IPC 


END DIST_MMGE 
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APPENDIX EB - NON-DISCRETIONARY SECURITY PLZ/SYS LISTINGS 


NDS MODULE 


CONSTANT 
| TRUE 
FALSE 


TYPE 
MC@ESS CLASS 


Geek Rt 


D INTERNAL 
| CLASS1_ PTR 
CLASS2 PTR 
CATS REL 


Hoo 


ReCORD [ LEVEL 
: CAT 
ACCESS CLAS 


Se ue 
Crt 
INTEGER 


INTEGSR 
Lee te) 


GLOBAL 
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! Fee UM HAS AY® ge Fg SYS See gS gS ye Spe ae PR SE MGs 24s OYS Sys FGe OES OGe Ge YS FS SEe Fyh FAS SFE H4S SE® SYD AYE SEP gs TpS GP Sys SGe My SGP Fo SYR MpP Spe AYR gs 24% 24% YS hE SYD 24S 91D CYS M4h Oye O4® 
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4 CLASS EQ PROCEDURE. INVOKSD BY VARIOUS KEANEL cs 


PROCEDURES. COMPARTS TwU CLASSIFICATIONS (LABELS) - * 
a AND DETERMINSS IF THEIR RELATIONSEIP IS FQUAL. * 
x RETURNS A TEJE/FALSE CONDITION _CODS., - 


. 

-~ 

ale »/. eats ate ale als ale ale 
“nr @ 


we Je «! ove ate ale le ale ale a ate ale 
OP Fer 28 2S OP AS 2N OS a 


ate ale ate ale ate ale ale a fe als 
AE FS AS AS RSS ye As 3,8 35 2,8 3,5 2S FS 38 2 2838 


ale a! 
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* *? oy ~-— #,* ~> > om + > ~- > “~> ~~ > = oe ~-— > ~~ o> > of 1" 7" ~~ > o" ~* “~* 
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BLASS EQ PROCEDURE ( CLASS1 LONG 
Cis oe LONG } 
RETURNS ( CONDITION CCDE EYTE ) 


ENTRY 
IF CLASSI = CLASS2 THEN 
CONDITION CODE := TRUZ 
ELSE 
CONDITION CODE := FALSE 
FI 
RETURN 
END CLASS _&Q 
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Wo Ww 


CLASS Gz PROCHLIURE. CALLED BY VARIOUS KERNEL 
PROCEDURES. COMPARES TWO CLASSIFICATIONS (CLASSI 
AND CLASS2) AND DaTERMINES IF LABEL1 1S GREATER 
TRAN OR ZOQUAL TO CLASS2,. RETURNS IRUE/FALS« CONDI- 
TION CODE. 
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at 
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3% % HH Fe = 
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Rete AS ae ae He ae ae ee ea ES HE BC HA I aa EE AE a at EE ale AS Sane IC 2S ae AE BK a CB aD IE BICAE DIC EC a ae A a ke a ae a 
CLASS_GH PROCEDURE ( CLASS1 LONG 
7 CLASS2 LONG ) 
RETURNS COP COL alr >} 
SNTR 


if 

! TYPE CONVERSION TO ALLOW OPERATIONS ON TEE 16 MOST ! 

Meron) 16 LYAST SIGNIFICANT BITS OF EACE CLASS. TEE ! 

! 16 MS3ITS ARF THE CLASS LEVEL AND TYE 16 LS2BITS ! 

! ARE TEE CLASS CATEGORY (CAT). 

CLASS1 PTR CPi GeemAs St 

CLASS2 PTR CPTR Ons 552 

! COMPARE CATEGORIES (SET COMPARISON;3; SEE IF CAT2 ! 

ieee SUBSET OF CATL. 

meee s= CLASS1 PTE .CAT OR CLASS2 PTR .CAT 

If CATS_REL = CLASS1_PTR™ .CAT ! THEN CAT2 IS SU3SET ! 

Peel CLASS1 PTR .LEViL >= CLASS2 PTa .LEVEL TEEN 

! LEVEL COMPARISON IS SIMPLE NUMERICAL COMPARISON ! 
CONDITION CODE := TRUE 
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CONDITION CODE FALSE 
FI 
RETURN 

END CLASS GE 

END NDS 
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APPENDIX G — SUMMARY OF REFINEMENTS 


The following new procedures were added to the Inner 
mratfic Controller: 

(1) ITC_GET_CPU_NO procedure. This procedure locates and 
returns the current CPU number (identification). It was used 
in segment manégement ty the distributed memory ménager to 
index into the MM CPU_ TABLE to find the memory manager 
meeeeeo Ve 1D for the current processor. This VFP_IDb was, in 
turn, used as an argument in the call te SIGNAL. 

(2) ITC_GET_SEG_PTR procedure. This service procedure 
muses an input segment number to search the MMU_IMAGE to find 
the base address Gaecer) fOruLUdteccementemly was used in 
segment management to find the base address of the segment 
Meed im a process for its KS. | 

(3) K_LOCK and E_'NLOCK procedures. These orocedures 
were implementei to indicate the intention to eventually 
Mwenea kernel wdait-lock system. E_IOCK Simply calls 
SPIN LOCK in its presext desian. 

The following changes were made to the Inner Traffic 
Controller: 

(1) The provision for a jump table’ was removed when a 
working version of the linker was introducec. This involved 
Femoving the constant TC_PaEEMPT HANDLER and adding an 


“external declaration for the TC PREEMPT HANLILER Procedure. 


CO 


(2) Minor changes were necessary in three procedures to 
modify the message size from on€ word to 4a sixteen tyte 
array (minor changes were also needed in the declaration 
section). The procedures effected were: ENTER_MSG_LIST, 
eto t MSG, and WAIT. The changes are documented in the 
meee tor e€ach procedure. 

The following procedures were added to tic weer rat fic 
Controller: 

(1) €C_GET_PROC_CLASS Procedure. This procedure locates 
and returns the current process ’s clasSification (i.e., it 
retrieves the SAC entry from the APT). It was used in 
Segment management tec retrieve the PROC_CLASS for the 
Segment Manager. 

(3) TC_GET _DBR_NO Frocedure. This procedure returrs the 
meres ce NO valve from the APT. The Segment Manager used 
Mors procedure to obtain the DBR_NO to pass to the memory 
manager. 

The version of the Traffic Controller shown in Appendix 
eas a stub of Reitz’ [9] actual work. This stut contains 
the elements of tne TC Module needed for proper operation of 


the segment management demonstration. 
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APPENDIX E -— SEGMENT MANAGEMENT DEMONSTRATION 


Mm. DESCRIPTION 

The Seg Mar.Demo, as Stated before, is built onto Reitz~ 
Sync Demo (which was designed for a different purpose than 
segment management, obviously). The functions illustrated by 
the present demonstration are: (1) virtual processor 
synchronization and (2) sSeement management functicn 
Bemmeonmance. The listings of the modules involved are in 
appendices A-F and Il. It iS Suggested that the ASM versions 
me used as references; Pieces yersions Sem ed as 
“pseudo-code during detailed desien, but are untested. The 
nérrative discussion Perc emCemMOmct ration COntext euara! 
sequence is presented eto The output gererated at each 
Brocess entry point will identify the signallér in e@ach case 
and the action the current process taxes. The following 
actions are illustrated (viz.,  simuleted ) ir this 
demonstraticn. Nete that this simulation uses the ITC 
SIGNAL/WAIT primitives instead of the TC ADVANCE/AWAIT 
primitives that are not yet implemented. 

eed lt7OGelnterrupt signals the 10 process that a 

packet from the host is ready. The IO process is 

Seteduleds it Teeds tne packet (output: IC: Receive 

Command) and signals the FM process (output: “IO: 


Signal FM (Creéate)’), passing the command (CREATE is 
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sirulated). The 10 process calls Wait, thus tlocxing 


itself while waitine for a Signal from the FM 


process. 
2. The FM wyrocess’ is scheduled (output: 
"lO=Signaller’); it interprets the command 


(Simulated) as CREATE and thus calls CREATE SEG in 
the Segment Manager (output: ORES EAL 


Kernel(Create) ). The normal input areumerts for 


S% 


3 
q2 


ted 


CR4aT ame wpasised sinathis call. 


S. € 


ta) 


WATE SEG validates the CREATE request and then 
momo CAZATS ENTEY in the Distributed Memory 
Manager. 

4. MM CREATE ENTRY signals the memory maréger 
process (MM process) and calls WAIT, thus tlocking 
ieseis while Walting for a signal from the MM 
process. 

Si The MM process is scheduled (acanitgol> t : 
“Kernel=Signaller (for FM) ); the mainline code 
interprets the function code and calls the 
OmeeroeoNERY procedure for action. When action is 
complete (output: MM: CREATE ENTRY), the procedure 
Pemurns to the mainline code. The MM process signals 
the return success code in a message to the FM 
Presess, ss tten Calls SHATT to wait for the next 
Signal. 


6. The FM process iS Scheduled (ovtput: “Return fror 
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Kernel ). The FM process then signals completion of 
OPent® to the 10 wyrocess and calls WAIT (cutput: 


FM: Signal I0). 


as 


3 


he 10 process is scheduled (cu moult: 
"FM=Signaller ). It signals the FM process to cause 
a “read” to occur, i.e., the same pattern as in 
Steps b. through e. occur for MAKE KNOWN and SWAP_IN 
prior to the FM process signalling back to the [0 
process that the “read was corpleted. This “read” 
is defined strictly Pomme i Samtecrs anc is not 
equivalent tO a typical Read File packet. 

8. The IO process will then be again scheduled and 
Will perform the Same functions as did the FM 
process (i.e., will call MAKE KNOWN and SM _SWAP_IN 
Sequentially) for the Same Seerent. 

9. The I0 process will again be scheduled and will 
Signal the IM process to perform the same sequence 
femeesecrined in ¢. for SM_SWAP_CUT and TInMINATE. 
12. The IO process will again be scheduled and will 
Bepedtestep 2. with SM_SWAP_OUT and TERMINATE. 

11. The IO process will again be scheduled and will 
cause the FM process to repeat steps b. throven e. 
to delete (DELETE_SEG called) the segment. 


Waoeeoe entre boop repeats forever. 


eH 





fe INITIALIZATION 

The description of the intialization of the catabases is 
presented in figures containing the apprepriate memory date. 
reference to the previous descriptions of these databases 
and the type declarations will te useful. Figure 9 is tke 
initialized Active Process Table. Figure 12 1s the 
initialized Virtual Processor Table. Figure 11 is partial 
representation of the initialized KST hOmmeerae ='4 process 
(935€¢2) and the I0 process (97@€). Figure 12 is partial 
representation of the initialized MMU_IMACE. figure 13 is 
partial representation of the initialized process Stack 
Beements. Figure i4 is the corresponding link command line 
and response, and the Imager command line and response. 
Figure 15 is the loac command lines and response, and the 
register initializaticns. Figure 16 is the output (as 


displaved on the CFT screen) generated ty the demonstration. 
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